IBM PowerSC Express Edition Version 1.1.3: PowerSC Express...

IBM PowerSC

Express Edition

Version 1.1.3

PowerSC Express Edition

IBM

IBM PowerSC

Express Edition

Version 1.1.3

PowerSC Express Edition

IBM

NoteBefore using this information and the product it supports, read the information in “Notices” on page 111.

This edition applies to IBM PowerSC Express Edition Version 1.1.3 and to all subsequent releases and modificationsuntil otherwise indicated in new editions.

© Copyright IBM Corporation 2012, 2014.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this document . . . . . . . .. v

What's new in PowerSC Express Edition1.1.3 . . . . . . . . . . . . . . .. 1

PowerSC Express Edition Release NotesVersion 1.1.3. . . . . . . . . . . .. 3

PowerSC Express Edition 1.1.3 concepts 5

Installing PowerSC Express EditionVersion 1.1.3. . . . . . . . . . . .. 7

Security and Compliance Automation .. 9Security and Compliance Automation concepts . .. 9

Department of Defense STIG compliance . . .. 9Payment Card Industry - Data Security Standardcompliance . . . . . . . . . . . .. 80Sarbanes-Oxley Act and COBIT compliance. .. 93Health Insurance Portability and AccountabilityAct (HIPAA) . . . . . . . . . . . .. 94

Managing Security and Compliance Automation .. 99Investigating a failed rule . . . . . . .. 100Updating the failed rule . . . . . . . .. 100Creating custom security configuration profile 100Testing the applications with AIX ProfileManager . . . . . . . . . . . . .. 101

Monitoring systems for continued compliancewith AIX Profile Manager . . . . . . .. 101

Configuring PowerSC Security and ComplianceAutomation . . . . . . . . . . . . .. 101

Configuring PowerSC compliance optionssettings . . . . . . . . . . . . .. 102Configuring PowerSC compliance from thecommand line . . . . . . . . . . .. 102Configuring PowerSC compliance with AIXProfile Manager . . . . . . . . . .. 103

PowerSC Real Time Compliance . .. 105Installing PowerSC Real Time Compliance. . .. 105Configuring PowerSC Real Time Compliance. .. 105

Identifying files monitored by the PowerSC RealTime Compliance feature . . . . . . .. 106Setting alerts for PowerSC Real TimeCompliance . . . . . . . . . . . .. 106

PowerSC Express Edition commands 107pscxpert Command . . . . . . . . . .. 107

Notices . . . . . . . . . . . . .. 111Privacy policy considerations . . . . . . .. 113Trademarks . . . . . . . . . . . . .. 113

Index . . . . . . . . . . . . . .. 115

© Copyright IBM Corp. 2012, 2014 iii

iv IBM PowerSC Express Edition Version 1.1.3: PowerSC Express Edition

About this document

This document provides system administrators with complete information about file, system, andnetwork security.

Highlighting

The following highlighting conventions are used in this document:

Bold Identifies commands, subroutines, keywords, files, structures, directories, and other items whose namesare predefined by the system. Also identifies graphical objects such as buttons, labels, and icons that theuser selects.

Italics Identifies parameters whose actual names or values are to be supplied by the user.Monospace Identifies examples of specific data values, examples of text similar to what you might see displayed,

examples of portions of program code similar to what you might write as a programmer, messages fromthe system, or information you should actually type.

Case-sensitivity in AIX®

Everything in the AIX operating system is case-sensitive, which means that it distinguishes betweenuppercase and lowercase letters. For example, you can use the ls command to list files. If you type LS, thesystem responds that the command is not found. Likewise, FILEA, FiLea, and filea are three distinct filenames, even if they reside in the same directory. To avoid causing undesirable actions to be performed,always ensure that you use the correct case.

ISO 9000

ISO 9000 registered quality systems were used in the development and manufacturing of this product.

© Copyright IBM Corp. 2012, 2014 v

vi IBM PowerSC Express Edition Version 1.1.3: PowerSC Express Edition

What's new in PowerSC Express Edition 1.1.3

Read about new or significantly changed information for the What's new in the PowerSC™ ExpressEdition 1.1.3 topic collection.

How to see what's new or changed

In this PDF file, you might see revision bars (|) in the left margin that identifies new and changedinformation.

December 2014

The following information provides a summary of the new and updated content for PowerSC ExpressEdition 1.1.3.2:v Updated the compliance actions for various profile items in “Department of Defense STIG compliance”

on page 9.v Updated the Network File System protocol information in “Payment Card Industry - Data Security

Standard compliance” on page 80.v Updated the compliance actions for various profile items in “Payment Card Industry - Data Security

Standard compliance” on page 80.v Updated the “pscxpert Command” on page 107.v Replaced references to the aixpert command with the pscxpert command in various topics.v Removed and updated obsolete information in various topics.

April 2014

The following information provides a summary of the new and updated content for PowerSC ExpressEdition 1.1.3.1:v Updated the information about the support for the United States Department of Defense STIG in

“Department of Defense STIG compliance” on page 9.v Updated the flags for the “pscxpert Command” on page 107.v Removed and updated obsolete information in various topics.

December 2013

The following information provides a summary of the new and updated content for PowerSC ExpressEdition 1.1.3:v Added information about the README.ICEexpress file in “Installing PowerSC Express Edition Version

1.1.3” on page 7.v Updated the information about the support for the Payment Card Industry - Data Security Standard

compliance for version 2.0 of the standard in “Payment Card Industry - Data Security Standardcompliance” on page 80.

v Updated the path for the RbacEnablement command in “Health Insurance Portability andAccountability Act (HIPAA)” on page 94.

v Added the “pscxpert Command” on page 107.v Updated an example in “pscxpert Command” on page 107.

© Copyright IBM Corp. 2012, 2014 1

May 2013

Added a table that describes how the AIX Security Expert feature ensures compliance with the PaymentCard Industry - Data Security Standard to “Payment Card Industry - Data Security Standard compliance”on page 80.

November 2012

The following information provides a summary of the new and updated content for PowerSC ExpressEdition 1.1.2:v Added documentation that describes the Real Time Compliance feature in “PowerSC Real Time

Compliance” on page 105.v Added documentation for the support of the standards as defined by the “Health Insurance Portability

and Accountability Act (HIPAA)” on page 94.

2 IBM PowerSC Express Edition Version 1.1.3: PowerSC Express Edition

PowerSC Express Edition Release Notes Version 1.1.3

The release notes contain information about changes to PowerSC Express Edition Versions 1.1.3 that wereidentified after the documentation was completed.

What's new

Read about new or changed information in the IBM® PowerSC Express Edition release notes topiccollection.

May 2014

The following information describes new or changed items that were identified after finalizing the IBMPowerSC Express Edition content:

When you migrate partitions with the DataBase, Department of Defense, Department of Defense Version2, or Payment Card Industry profiles enabled on your Virtual I/O Server (VIOS), secure tunnels areautomatically requested for the migration. An update to the secure tunnel migration process will beprovided in VIOS Service Pack 2.2.3.3.

December 2013

The location of the IBM PowerSC content in the information center was restructured.

Read this before installation

To view the most current version of the Release Notes, go to the online Release Notes in the KnowledgeCenter (http://www.ibm.com/support/knowledgecenter/SSNRQU_1.1.3/com.ibm.powersc113.ee/powersc_ee_rn.htm).

PowerSC Express Edition is a licensed program and is not included with the AIX operating system.

Note: This software might contain errors that could result in a critical business impact. Install the latestavailable fixes prior to using this software.

Installation, migration, upgrade, and configuration information

For information about installing PowerSC, see “Installing PowerSC Express Edition Version 1.1.3” onpage 7.

Fix for Live Partition Mobility (LPM) using IP Security (IPSec) tunnels

A fix for secure tunnel migration support will be available in VIOS service pack 2.2.3.3. This service packwill address APAR IV59934 and should be installed on the VIOS servers.


|

||

http://www.ibm.com/support/knowledgecenter/SSNRQU_1.1.3/com.ibm.powersc113.ee/powersc_ee_rn.htm

http://www.ibm.com/support/knowledgecenter/SSNRQU_1.1.3/com.ibm.powersc113.ee/powersc_ee_rn.htm


PowerSC Express Edition 1.1.3 concepts

This overview of PowerSC explains the features, components, and the hardware support related to thePowerSC Express Edition feature.

PowerSC Express Edition 1.1.3 provides security and control of the systems operating within a cloud orin virtualized data centers, and provides an enterprise view and management capabilities. PowerSCExpress Edition is a suite of features that includes Security and Compliance Automation and Real TimeCompliance. The security technology that is placed within the virtualization layer provides additionalsecurity to stand-alone systems.

The following table provides details about the editions, the features included in the editions, thecomponents, and the processor-based hardware on which each component is available.

Table 1. PowerSC Express Edition components, description, operating system supported, and hardware supported

Components Description Operating system supported Hardware supported

Security and ComplianceAutomation

Automates the setting,monitoring, and auditing ofsecurity and complianceconfiguration for the followingstandards:

v Payment Card Industry DataSecurity Standard (PCI DSS)

v Sarbanes-Oxley Act andCOBIT compliance(SOX/COBIT)

v U.S. Department of Defense(DoD) STIG

v Health Insurance Portabilityand Accountability Act(HIPAA)

v AIX 5.3

v AIX 6.1

v AIX 7.1

v POWER5

v POWER6®

v POWER7®

Real Time Compliance Monitors an enabled AIXsystem to maintain securityand provides alerts when achange to the system violates arule that is identified in theconfiguration policy.

v IBM AIX 6 with TechnologyLevel 7, or later, with AIXEvent Infrastructure for AIXand AIX Clusters (bos.ahafs6.1.7.0), or later

v IBM AIX 7 with TechnologyLevel 1, or later, with AIXEvent Infrastructure for AIXand AIX Clusters (bos.ahafs7.1.1.0), or later

There is no specific hardwarerequirement.



Installing PowerSC Express Edition Version 1.1.3

PowerSC Express Edition includes the powerscExp.ice package. The powerscExp.ice package supportsAIX 5.3, AIX 6.1 and AIX Version 7.1.

The powerscExp.ice package must be installed on all AIX systems that require the security andcompliance feature of the PowerSC Express Edition.

Install PowerSC Express Edition by using one of the following interfaces:v The installp command from the command-line interface (CLI)v The SMIT interface

To install the PowerSC Express Edition by using the SMIT interface, complete the following steps:1. Run the following command:

% smitty installp

2. Select the Install Software option.3. Select the input device or directory for the software to specify the location and the installation file of

the IBM Compliance Expert installation image. For example, if the installation image has the directorypath and file name /usr/sys/inst.images/powerscExp.ice, you must specify the file path in theINPUT field.

4. View and accept the license agreement. Accept the license agreement by using the down arrow toselect ACCEPT new license agreements, and press the tab key to change the value to Yes.

5. Press Enter to start the installation.6. Verify that the command status is OK after the installation is complete.

A readme file named README.ICEexpress is installed in the /etc/security/aixpert directory. This filecontains the implementation details for the compliance profiles that are included with PowerSC ExpressEdition.

Viewing the software license

The software license can be viewed in the CLI by using the following command:% installp –lE –d path/filename

Where path/filename specifies the PowerSC Standard Edition installation image.

For example, you can enter the following command using the CLI to specify the license informationrelated to the PowerSC Express Edition:% installp -lE -d /usr/sys/inst.images/powerscExp.ice



Security and Compliance Automation

AIX Profile Manager manages predefined profiles for security and compliance. The PowerSC Real TimeCompliance continuously monitors enabled AIX systems to ensure that they are configured consistentlyand securely.

The XML profiles automate the recommended AIX system configuration of IBM to be consistent with thePayment Card Data Security Standard, the Sarbanes-Oxley Act, or the U.S. Department of Defense UNIXSecurity Technical Implementation Guide and Health Insurance Portability and Accountability Act(HIPAA). The organizations that comply with the security standards must use the predefined systemsecurity settings.

The AIX Profile Manager operates as an IBM Systems Director plug-in that simplifies applying securitysettings, monitoring security settings, and auditing security settings for both the AIX operating systemand Virtual I/O Server (VIOS systems. To use the security compliance feature, the PowerSC applicationmust be installed on the AIX managed systems that conform to the compliance standards. The Securityand Compliance Automation feature is included in the PowerSC Express Edition, and the PowerSCStandard Edition.

The PowerSC Express Edition installation package, 5765-G82, must be installed on AIX managed systems.The installation package installs the powerscExp.ice fileset that can be implemented on the system byusing the AIX Profile Manager or the pscxpert command. PowerSC with IBM Compliance Expert Express(ICEE) compliance is enabled to manage and improve the XML profiles. The XML profiles are managedby the AIX Profile Manager.

Note: Install all applications on the system before you apply a security profile.

Security and Compliance Automation conceptsThe PowerSC security and compliance feature is an automated method to configure and audit AIXsystems in accordance with the U.S. Department of Defense (DoD) Security Technical ImplementationGuide (STIG).

PowerSC helps to automate the configuration and monitoring of systems that must be compliant with thePayment Card Industry (PCI) data security standard (DSS) version 1.2. Therefore, PowerSC security andcompliance feature is an accurate and complete method of security configuration automation that is usedto meet the IT compliance requirements of the DoD UNIX STIG, the PCI DSS, the Sarbanes-Oxley act,COBIT compliance (SOX/COBIT), and the Health Insurance Portability and Accountability Act (HIPAA).

Note: PowerSC security and compliance updates the existing xml profiles that are used by IBMCompliance Expert express (ICEE) edition. The PowerSC Express Edition xml profiles can be used withthe pscxpert command, similar to ICEE.

The preconfigured compliance profiles delivered with the PowerSC Express Edition reduce theadministrative workload of interpreting compliance documentation and implementing the standards asspecific system configuration parameters. This technology reduces the cost of compliance configurationand auditing by automating the processes. IBM PowerSC Express Edition is designed to help effectivelymanage the system requirement associated with external standard compliance that can potentially reducecosts and improve compliance.

Department of Defense STIG complianceThe U.S. Department of Defense (DoD) requires highly secure computer systems. This level of securityand quality defined by DoD meets with the quality and customer base of AIX on Power Systems™ server.


|

A secure operating system, such as AIX, must be configured accurately to attain the specified securitygoals. The DoD recognized the need for security configurations of all operating systems in Directive8500.1. This directive established the policy and assigned the responsibility to the US defense informationsecurity agency (DISA) to provide security configuration guidance.

DISA developed the principles and guidelines in the UNIX Security Technical Implementation Guide(STIG) that provides an environment that meets or exceeds the security requirements of DoD systems thatare operating at the mission assurance category (MAC) II sensitive level, which contains sensitiveinformation. The US DoD has stringent IT security requirements and enumerated the details of therequired configuration settings to ensure that the system operates in a secure manner. You can leveragethe required expert guidance. PowerSC Express Edition helps to automate the process of configuring thesettings as defined by DoD.

Note: All of the custom script files that are provided to maintain DoD compliance are in the/etc/security/pscexpert/dodv2 directory.

Beginning with the 1.1.3.1 service pack of IBM PowerSC, PowerSC supports the requirements of theversion 1 release 2 of the AIX DoD STIG. A summary of the requirements and how to ensure thatcompliance are provided in the tables that follow.

Table 2. DoD general requirements

Department ofDefense STIGcheckpoint ID

Category ofthe STIGrule Description

Location of the script where the actionis defined and the results of the actionthat enables compliance

AIX00020 2 AIX Trusted Computing Base software must beimplemented. Location

/etc/security/pscexpert/dodv2/trust

Compliance actionEnsures that the system meetsthe specified requirements.

AIX00040 2 The securetcpip command must be used.Location

/etc/security/pscexpert/dodv2/dodsecuretcpip


AIX00060 2 The system must be checked weekly for unauthorizedsetuid files, and unauthorized modification toauthorized setuid files.

Location/etc/security/pscexpert/dodv2/trust

Compliance actionChecks weekly to identifychanges to the specified files.

AIX00080 1 The SYSTEM attribute must not be set to none for anyaccount. Location

/etc/security/pscexpert/dodv2/SYSattr

Compliance actionEnsures that the specifiedattribute is set to a value otherthan none.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.


|||

||

|||

||||

|||

|||||||

|||

||||||

|||

||||||||

|||

|||||||

|||||||||||

Table 2. DoD general requirements (continued)




AIX00200 2 The system must not allow directed broadcasts tomove through the gateway. Location

/etc/security/pscexpert/dodv2/ntwkoptsdod

Compliance actionSets the value of thedirect_broadcast networkoption to 0.

AIX00210 2 The system must provide protection from InternetControl Message Protocol (ICMP) attacks on TCPconnections.

Location/etc/security/pscexpert/dodv2/ntwkoptsdod

Compliance actionSets the value of thetcp_icmpsecure networkoption to 1.

AIX00220 2 The system must provide protection for the TCP stackagainst connection resets, synchronize (SYN), anddata injection attacks.


Compliance actionEnsures that the value for thetcp_tcpsecure network optionis set to 7.

AIX00230 2 The system must provide protection against IPfragmentation attacks. Location


Compliance actionSets the value of the ip_nfragnetwork option to 200.

AIX00300 1,2,3 The system must not have the bootp service active.Location

/etc/security/pscexpert/dodv2/inetdservices

Compliance actionDisables the specified service.

AIX00310 2 The /etc/ftpaccess.ctl files must exist.Location

/etc/security/pscexpert/dodv2/dodv2loginherald

Compliance actionEnsures that the file exists.

Security and Compliance Automation 11

|

|||

||||

|||

|||||||

||||

||||||||

||||

||||||||

||||

|||||||

|||

||||||

||

||||||

||





GEN000020 2 The system must require authentication when startingin single-user mode. Location

/etc/security/pscexpert/dodv2/rootpasswd_home

Compliance actionEnsures that the root accountfor any bootable partitions hasa password in the/etc/security/passwd file.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN000100 1 The operating system must be a supported release.Location

/etc/security/pscexpert/dodv2/dodv2cat1

Compliance actionDisplays the results of thespecified rule tests.

GEN000120 2 The most current system security patches andupdates must be installed. Location

/usr/sbin/instfix -i


Compliance actionConfigure this using theTrusted Network Connectfeature.

GEN000140 2 The system must be checked weekly for unauthorizedsetuid files, and unauthorized modification toauthorized setuid files.






GEN000240 2 The system clock must be synchronized to anauthoritative Department of Defense (DoD) timesource.

Location/etc/security/pscexpert/dodv2/dodv2cmntrows

Compliance actionEnsures that the system clockis compliant.


|

|||

||||

|||

|||||||

||||||||||||

||||||

|||

||||||

||

||||

||||||||

|||

||||||||

|||

||||||||

|||





GEN000241 2 The system clock must be synchronized continuously,or at least daily. Location

/etc/security/pscexpert/dodv2/dodv2cmntrows

Compliance actionEnsures that the system clockis compliant.

GEN000242 2 The system must use at least two time sources forclock synchronization. Location

/etc/security/pscexpert/dodv2/dodv2netrules

Compliance actionEnsures that more than onetime source is used forsynchronizing the clock.

GEN000280 2 Direct logins to the following types of accounts mustnot be allowed:

v application

v default

v shared

v utility

Location/etc/security/pscexpert/dodv2/lockacc_rlogin

Compliance actionPrevents direct logins to thespecified accounts.

GEN000290 2 The system must not have unnecessary accounts.Location

/etc/security/pscexpert/dodv2/lockacc_rlogin

Compliance actionEnsures that there are nounused accounts.

GEN000300(related toGEN000320,GEN000380,GEN000880)

2 All accounts on the system must have unique user oraccount names, and unique user or accountpasswords.

Location/etc/security/pscexpert/dodv2/grpusrpass_chk

Compliance actionEnsures that all accounts meetthe specified requirements.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.




Compliance actionEnsures that all accounts meetthe specified requirements.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.


|

|||

||||

|||

|||||||

|||

|||||||

||||

||||||||

|||

|||

||||||

|||

|||||

|||||||

||||||||||

|||||

|||||||

||||||||||





GEN000340 2 User IDs (UIDs) and Group IDs (GIDs) that arereserved for system accounts must not be assigned tonon-system accounts or non-system groups.

Location/etc/security/pscexpert/dodv2/account

Compliance actionThis setting is automaticallyenabled to enforce this rule.

GEN000360 2 UIDs and GIDs that are reserved for system accountsmust not be assigned to non-system accounts ornon-system groups.

Location/etc/security/pscexpert/dodv2/account

Compliance actionThis setting is automaticallyenabled to enforce this rule.




Compliance actionEnsures that all accounts meetthe specified requirements.

GEN000400 2 The Department of Defense (DoD) login banner mustbe displayed immediately before, or as part of,console login prompts.

Location/etc/security/pscexpert/dodv2/dodv2loginherald

Compliance actionDisplays the required banner.

GEN000402 2 The DoD login banner must be displayedimmediately before, or as part of, graphical desktopenvironment login prompts.


Compliance actionThe login banner is set to theDepartment of Defense banner.

GEN000410 2 The File Transfer Protocol over SSL (FTPS) or FileTransfer Protocol (FTP) service on the system must beconfigured with the DoD login banner.


Compliance actionDisplays the banner when youuse FTP.

GEN000440 2 Successful and unsuccessful attempts to log in andlog out must be recorded. Location

/etc/security/pscexpert/dodv2/loginout

Compliance actionEnables the required logging.

GEN000452 2 The system must display the date and time of the lastsuccessful account login at the time of each log in. Location

/etc/security/pscexpert/dodv2/sshDoDconfig

Compliance actionDisplays the requiredinformation.


|

|||

||||

|||

||||||||

|||

||||||||

|||

|||||

|||||||

|||

||||||||

||

||||||||

|||

||||||||

|||

|||||||

||

|||||||

|||





GEN000460 2 This rule disables an account after 3 consecutivefailed logon attempts. Location

/etc/security/pscexpert/dodv2/chusrattrdod

Compliance actionSets the login attempt limit tothe specified value.

GEN000480 2 This rule sets the login delay time to 4 seconds.Location

/etc/security/pscexpert/dodv2/chdefstanzadod

Compliance actionSets the login delay time to therequired value.

GEN000540 2 This rule ensures the system global passwordconfiguration files are configured according topassword requirements.

Location/etc/security/pscexpert/dodv2/chusrattrdod

Compliance actionSets the required passwordsettings.

GEN000560 1 All accounts on the system must have validpasswords. Location

/etc/security/pscexpert/dodv2/grpusrpass_chk

Compliance actionEnsures that accounts havepasswords.

GEN000580 2 This rule ensures that all passwords contain aminimum of 14 characters. Location


Compliance actionSets the minimum passwordlength to 14 characters.

GEN000585 2 The system must use a Federal InformationProcessing Standards (FIPS) 140-2 approvedcryptographic hashing algorithm for generatingaccount password hashes.

Location/etc/security/pscexpert/dodv2/fipspasswd

Compliance actionEnsures that the passwordhashes use an approvedhashing algorithm.

GEN000590 2 The system must use a FIPS 140-2 approvedcryptographic hashing algorithm for generatingaccount password hashes.




|

|||

||||

|||

|||||||

|||

||||||

|||

||||||||

|||

|||||||

|||

|||||||

|||

||||||

|||

||||

||||||||

||||





GEN000595 2 Use a FIPS 140-2 approved cryptographic hashingalgorithm when generating the password hashes thatare stored on the system.



GEN000640 2 This rule requires a minimum of one non-alphabeticcharacter in a password Location


Compliance actionSets the minimum number ofnon-alphabetic characters in apassword to 1.

GEN000680 2 This rule ensures that passwords contain no morethan three consecutive repeating characters Location


Compliance actionSets the maximum number ofrepeating characters in apassword to 3.

GEN000700 2 This rule ensures the system global passwordconfiguration files are configured according topassword requirements.


Compliance actionEnsures that the passwordconfiguration files meet therequirements.

GEN000740 2 All non-interactive and automated processing accountpasswords must be locked (GEN000280). Direct loginsmust not be allowed to shared or default orapplication or utility accounts. (GEN002640) Defaultsystem accounts must be disabled or removed.

Location/etc/security/pscexpert/dodv2/loginout


Compliance actionThis setting is automaticallyenabled.

GEN000740 2 All non-interactive and automated processing accountpasswords must be changed at least once per year orbe locked.

Location/etc/security/pscexpert/dodv2/lockacc_rlogin

Compliance actionEnsures that the specifiedpasswords are changedannually or locked.


|

|||

||||

|||

||||||||

||||

|||||||

||||

|||||||

||||

||||||||

||||

|||||||

|||

||

|||

||||||||

||||





GEN000750 2 This rule requires new passwords to contain aminimum of 4 characters that were not in the oldpassword.


Compliance actionSets the minimum number ofnew characters that arerequired in a new password to4.

GEN000760 2 Accounts must be locked after 35 days of inactivity.Location

/etc/security/pscexpert/dodv2/disableacctdod

Compliance actionLocks accounts after 35 days ofinactivity.

GEN000790 2 The system must prevent the use of dictionary wordsfor passwords. Location

/etc/security/pscexpert/dodv2/chuserstanzadod

Compliance actionEnsures that the defaultpassword that is being set isnot weak.

GEN000800 2 This rule ensures that the last five passwords are notreused. Location


Compliance actionEnsures that the newpassword is not the same asany of the last 5 passwords.




Compliance actionEnsures that all accounts meetthe specified requirements.

GEN000900 3 The root user's home directory must not be the rootdirectory (/). Location

/etc/security/pscexpert/dodv2/rootpasswd_home

Compliance actionEnsures that the system meetsthe specified requirement.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.


|

|||

||||

|||

||||||||

|||||

||||||

|||

|||||||

||||

|||||||

||||

|||||

|||||||

|||

|||||||

||||||||||





GEN000940 2 The root account's executable search path must be thevendor default, and must contain only absolute paths. Location

/etc/security/pscexpert/dodv2/fixpathvars

Compliance actionEnsures that the system meetsthe specified requirements.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN000945 2 The root account's library search path must be thesystem default, and must contain only absolute paths. Location



GEN000950 2 The root account's list of preloaded libraries must beempty. Location



GEN000960(related toGEN003000,GEN003020,GEN003160,GEN003360,GEN003380)

2 The root account must not have world-writabledirectories in its executable search path. Location

/etc/security/pscexpert/dodv2/rmwwpaths



|

|||

||||

|||

|||||||

||||||||||

|||||||

||||||||||

|||||||

||||||||||

|||||||

||||||

||||||||||





GEN000980 2 The system must prevent the root account fromdirectly logging in, except from the system console. Location



GEN001000 2 Remote consoles must be disabled or protected fromunauthorized access. Location

/etc/security/pscexpert/dodv2/remoteconsole

Compliance actionEnsures that the specifiedconsoles are disabled.

GEN001020 2 The root account must not be used for direct login.Location


Compliance actionDisables the root account fromlogging in directly.

GEN001060 2 The system must log successful and unsuccessfulattempts to access the root account. Location



GEN001100 1 Root passwords must never be passed over anetwork in text form. Location



GEN001120 2 The system must not allow root login by using theSSH protocol. Location


Compliance actionDisables root login for SSH.

GEN001440 3 All interactive users must be assigned a homedirectory in the /etc/passwd file. Location

/etc/security/pscexpert/dodv2/grpusrpass_chk

Compliance actionEnsures that all interactiveusers have the specifieddirectory.


|

|||

||||

|||

|||||||

|||

|||||||

|||

||||||

|||

|||||||

|||

|||||||

|||

|||||||

||

|||||||

||||





GEN001475 2 The /etc/group file must not contain any grouppassword hashes. Location

/etc/security/pscexpert/dodv2/passwdhash

Compliance actionEnsures that there are nogroup password hashes in thespecified file.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN001600 2 Run control scripts' executable search paths mustcontain only absolute paths. Location



GEN001605 2 Run control scripts' library search paths must containonly absolute paths. Location



GEN001610 2 Run control scripts' lists of preloaded libraries mustcontain only absolute paths. Location




|

|||

||||

|||

|||||||

|||||||||||

|||||||

||||||||||

|||||||

||||||||||

|||||||

||||||||||





GEN001840 2 All global initialization files' executable search pathsmust contain only absolute paths. Location



GEN001845 2 All global initialization files' library search pathsmust contain only absolute paths. Location



GEN001850 2 All global initialization files' lists of preloadedlibraries must contain only absolute paths. Location



GEN001900 2 All local initialization files' executable search pathsmust contain only absolute paths. Location




|

|||

||||

|||

|||||||

||||||||||

|||||||

||||||||||

|||||||

||||||||||

|||||||

||||||||||





GEN001901 2 All local initialization files' library search paths mustcontain only absolute paths. Location



GEN001902 2 All local initialization files' lists of preloaded librariesmust contain only absolute paths. Location



GEN001940 2 User initialization files must not run world-writableprograms. Location



GEN001980 2 The .rhosts, .shosts, hosts.equiv, shosts.equiv,/etc/passwd, /etc/shadow, or the /etc/group filesmust not contain a plus sign (+) without defining theentries for NIS+ netgroups.

Location/etc/security/pscexpert/dodv2/dodv2netrules

Compliance actionEnsures that the specified filesmeet the specifiedrequirements.

GEN002000 2 There must be no .netrc files on the system.Location


Compliance actionEnsures that there are none ofspecified files on the system.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.


|

|||

||||

|||

|||||||

||||||||||

|||||||

||||||||||

|||||||

|||

||||||

|||

||||

||||||

||||||||||





GEN002020 2 All .rhosts, .shosts, or hosts.equiv files mustcontain only trusted host-user pairs. Location


Compliance actionEnsures that the specified filesconform to this requirement.

GEN002040 1 This rule disables .rhosts, .shosts, and hosts.equivfiles or shosts.equiv files. Location

/etc/security/pscexpert/dodv2/mvhostsfilesdod

Compliance actionDisables the specified files.

GEN002120 1,2 This rule checks and configures user shells.Location

/etc/security/pscexpert/dodv2/usershells

Compliance actionCreates the required shells.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN002140 1,2 All shells that are referenced in the /etc/passwd listmust be listed in the /etc/shells file, except anyshells that are specified to prevent logins.

Location/etc/security/pscexpert/dodv2/usershells

Compliance actionEnsures that the shells arelisted in the correct files.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN002280 2 Device files and directories must be writable only byusers with a system account, or as the system isconfigured by the vendor.

Location/etc/security/pscexpert/dodv2/wwdevfiles

Compliance actionDisplays world-writable devicefiles, directories, and any otherfiles on the system that are innon-public directories.

GEN002300 2 Device files that are used for backup must bereadable, writable, or both, only by the root user orthe backup user.


Compliance actionDisplays world-writable devicefiles, directories, and any otherfiles on the system that are innon-public directories.


|

|||

||||

|||

|||||||

|||

|||||||

||

||||||

|||||||||

||||||||

||||||||||

||||||||

|||||

||||||||

|||||







Compliance actionChecks weekly to identifychanges to the specified files.Note: Compare the twonewest weekly logs that arecreated in the/var/security/pscexpertdirectory to verify that therewas no unauthorized activity.

GEN002420 2 Removable media, remote file systems, and any filesystem that does not contain approved setuid filesmust be mounted by using the nosuid option.

Location/etc/security/pscexpert/dodv2/fsmntoptions

Compliance actionEnsures that the remotelymounted file systems have thespecified options.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN002430 2 Removable media, remote file systems, and any filesystem that does not contain approved device filesmust be mounted by using the nodev option.

Location/etc/security/pscexpert/dodv2/fsmntoptions

Compliance actionEnsures that the remotelymounted file systems have thespecified options.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN002480 2 Public directories must be the only world-writabledirectories, and world-writable files must be locatedonly in public directories.


/etc/security/pscexpert/dodv2/fpmdodfiles

Compliance actionReports when world-writablefiles are not in publicdirectories.


|

|||

||||

|||

||||||||

|||||||||

||||||||

|||||||||||

||||||||

|||||||||||

||||||||

||

||||





GEN002640 2 Default system accounts must be disabled orremoved. Location



Compliance actionDisables default systemaccounts.

GEN002660 2 Auditing must be enabled.Location

/etc/security/pscexpert/dodv2/dodaudit

Compliance actionEnables the dodauditcommand, which enablesauditing.

GEN002720 2 The audit system must be configured to audit failedattempts to access files and programs. Location


Compliance actionAutomatically enables thespecified auditing.

GEN002740 2 The audit system must be configured to audit filedeletions. Location



GEN002750 3 The audit system must be configured to auditaccount creation. Location



GEN002751 3 The audit system must be configured to auditaccount modification. Location



GEN002752 3 The audit system must be configured to auditaccounts that are disabled. Location




|

|||

||||

|||

|||||||

||

|||

||||||

||||

|||||||

|||

|||||||

|||

|||||||

|||

|||||||

|||

|||||||

|||





GEN002753 3 The audit system must be configured to auditaccount termination. Location



GEN002760 2 The audit system must be configured to audit alladministrative, privileged, and security actions. Location



GEN002800 2 The audit system must be configured to audit login,logout, and session initiation. Location



GEN002820 2 The audit system must be configured to audit alldiscretionary access control permission modifications. Location



GEN002825 2 The audit system must be configured to audit theloading and unloading of dynamic kernel modules. Location



GEN002860 2 Audit logs must be rotated daily.Location

/etc/security/pscexpert/dodv2/rotateauditdod

Compliance actionEnsures that audit logs arerotated.

GEN002960 2 Access to the cron utility must be controlled by usingthe cron.allow file or cron.deny file, or both. Location

/etc/security/pscexpert/dodv2/limitsysacc

Compliance actionEnsures that the compliantlimits are enabled.


|

|||

||||

|||

|||||||

|||

|||||||

|||

|||||||

|||

|||||||

|||

|||||||

|||

||||||

|||

|||||||

|||






2 Cron must not run group-writable or world-writableprograms. Location


Compliance actionEnsures that the compliantlimits are enabled.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.


2 Cron must not run programs in, or subordinate to,world-writable directories. Location


Compliance actionRemoves the world-writablepermission from the cronprogram directories.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN003060 2 Default system accounts (except for root) must not belisted in the cron.allow file, or must be included inthe cron.deny file if the cron.allow file does not exist.

Locationcron.allow or cron.deny



2 Cron logging must be running.Location



GEN003280 2 Access to the at utility must be controlled by usingthe at.allow and the at.deny files. Location

/etc/security/pscexpert/dodv2/chcronfilesdod


GEN003300 2 The at.deny file must not be empty, if it exists.Location

/etc/security/pscexpert/dodv2/chcronfilesdod



|

|||

||||

|||

|||||||

||||||

||||||||||

|||||||

||||||

|||||||||||

|||||||

|||

|||||||

|||||

|||

|||||||

|||

||||||

|||





GEN003320 2 Default system accounts that are not root must not belisted in the at.allow file, or must be included in theat.deny file if the at.allow file does not exist.

Location/etc/security/pscexpert/dodv2/chcronfilesdod



2 The at daemon must not run group-writable orworld-writable programs. Location




2 The at daemon must not run programs in, orsubordinate to, world-writable directories. Location



GEN003510 2 Kernel core dumps must be disabled unless they areneeded. Location

/etc/security/pscexpert/dodv2/coredumpdev

Compliance actionDisables kernel core dumps.

GEN003540 2 The system must use non-executable program stacks.Location

/etc/security/pscexpert/dodv2/sedconfigdod

Compliance actionEnforces the use ofnon-executable programstacks.

GEN003600 2 The system must not forward IPv4 source-routedpackets. Location


Compliance actionSets the value of theipsrcforward network optionto 0.


|

|||

||||

|||

||||||||

|||

|||||||

||||||

||||||||||

|||||||

||||||

||||||||||

|||||||

||

||||||

||||

|||||||

||||





GEN003601 2 TCP backlog queue sizes must be set appropriately.Location


Compliance actionSets the value of theclean_partial_conns networkoption to 1.

GEN003603 2 The system must not respond to Internet ControlMessage Protocol version 4 (ICMPv4) echoes that aresent to a broadcast address.


Compliance actionSets the value of the bcastpingnetwork option to 0.

GEN003604 2 The system must not respond to ICMP time stamprequests that are sent to a broadcast address. Location



GEN003605 2 The system must not apply reversed source routingto TCP responses. Location


Compliance actionSets the value of thenonlocsrcroute networkoption to 0.

GEN003606 2 The system must prevent local applications fromgenerating source-routed packets. Location


Compliance actionSets the value of theipsrcroutesend networkoption to 0.

GEN003607 2 The system must not accept source-routed IPv4packets. Location


Compliance actionDisables the ability to acceptsource-routes IPv4 packets.

GEN003609 2 The system must ignore IPv4 ICMP redirectmessages. Location


Compliance actionSets the value of theipignoreredirects networkoption to 1.


|

|||

||||

|||

||||||

||||

||||||||

|||

|||||||

|||

|||||||

||||

|||||||

||||

|||||||

|||

|||||||

||||





GEN003610 2 The system must not send IPv4 ICMP redirectmessages. Location


Compliance actionSets the value of theipsendredirects networkoption to 0.

GEN003612 2 The system must be configured to use TCPsyncookies when a TCP SYN flood occurs. Location


Compliance actionSets the value of theclean_partial_conns networkoption to 1.

GEN003640 2 The root file system must use journaling, or anothermethod of ensuring file system consistency. Location

/etc/security/pscexpert/dodv2/chkjournal

Compliance actionEnables journaling on the rootfile system.

GEN003660 2 The system must log authentication informationaldata. Location

/etc/security/pscexpert/dodv2/chsyslogdod

Compliance actionEnables the logging of authand info data.

GEN003700 2 The inetd and xinetd must be disabled or removed ifno network services are using them. Location

/etc/security/pscexpert/dodv2/dodv2services


GEN003810 2 This portmap or rpcbindservices must not be runningunless they are needed. Location



GEN003815 2 The portmap or rpcbindservices must not be installedunless they are being used. Location




|

|||

||||

|||

|||||||

||||

|||||||

||||

|||||||

|||

|||||||

|||

|||||||

|||

|||||||

|||

|||||||

|||





GEN003820-3860 1,2,3 The rsh, rexexec, and telnet daemons, and therlogind service must not be running. Location


Compliance actionDisables the required daemonsand services by commentingout entries in the/etc/inetd.conf file.

GEN003865 2 Network analysis tools must not be installed.Location



GEN003900 2 The hosts.lpd file (or equivalent) must not containan addition sign (+). Location

/etc/security/pscexpert/dodv2/printers


GEN004220 1 Administrative accounts must not run a web browser,except as needed for local service administration. Location



GEN004460 2 This rule logs auth and info data.Location


Compliance actionEnables the logging of authand info data.

GEN004540 2 This rule disables the sendmail help command.Location

/etc/security/pscexpert/dodv2/sendmailhelp


Compliance actionDisables the specifiedcommand.


|

|||

||||

|||

|||||||

|||||

||||||

|||

|||||||

|||

|||||||

|||

||||||

|||

||||||

||

|||





GEN004580 2 The system must not use .forward files.Location

/etc/security/pscexpert/dodv2/forward

Compliance actionDisables the specified files.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN004600 1 The SMTP service must be the most current version.Location

/etc/security/pscexpert/dodv2/SMTP_ver

Compliance actionEnsures that the latest versionof the specified service isrunning.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN004620 2 The sendmail server must have the debugging featuredisabled. Location

/etc/security/pscexpert/dodv2/SMTP_ver

Compliance actionDisables the sendmaildebugging feature.

GEN004640 1 The SMTP service must not have an active uudecodealias. Location

/etc/security/pscexpert/dodv2/SMTPuucode

Compliance actionDisables the uudecode alias.

GEN004710 2 Mail relaying must be restricted.Location

/etc/security/pscexpert/dodv2/sendmaildod

Compliance actionRestricts mail relay.

GEN004800 1,2,3 Unencrypted FTP must not be used on the system.Location




|

|||

||||

|||

||||||

|||||||||

||||||

|||||||||||

|||||||

|||

|||||||

||

||||||

||

||||||

|||||





GEN004820 2 Anonymous FTP must not be active on the systemunless it is authorized. Location

/etc/security/pscexpert/dodv2/anonuser

Compliance actionDisables anonymous FTP onthe system.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN004840 2 If the system is an anonymous FTP server, it must beisolated to the Demilitarized Zone (DMZ) network. Location

/etc/security/pscexpert/dodv2/anonuser

Compliance actionEnsures that an anonymousFTP on the system is on theDMZ network.

GEN004880 2 The ftpusers file must exist.Location

/etc/security/pscexpert/dodv2/chdodftpusers

Compliance actionEnsures that the specified fileis on the system.

GEN004900 2 The ftpusers file must contain the account namesthat are not allowed to use the FTP protocol. Location

/etc/security/pscexpert/dodv2/chdodftpusers

Compliance actionEnsures that the file containsthe required account names.

GEN005000 1 Anonymous FTP accounts must not have a functionalshell. Location

/etc/security/pscexpert/dodv2/usershells

Compliance actionRemoves shells fromanonymous FTP accounts.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN005080 1 The TFTP daemon must operate in secure-mode,which provides access only to a single directory onthe host file system.

Location/etc/security/pscexpert/dodv2/tftpdod

Compliance actionEnsures that the daemon meetsthe specified requirements.


|

|||

||||

|||

|||||||

||||||||||

|||||||

||||

||||||

|||

|||||||

|||

|||||||

||||||||||

||||||||

|||





GEN005120 2 The TFTP daemon must be configured to vendorspecifications, including a dedicated TFTP useraccount, a non-login shell, such as /bin/false, and ahome directory that is owned by the TFTP user.

Location/etc/security/pscexpert/dodv2/tftpdod


GEN005140 1,2,3 Any active TFTP daemon must be authorized andapproved in the system accreditation package. Location


Compliance actionEnsures that the daemon isauthorized.

GEN005160 1,2 Any X Window System host must write .Xauthorityfiles. Location

/etc/security/pscexpert/dodv2/dodv2disableX

Compliance actionEnsures that the host wrote thespecified files.

GEN005200 1,2 Any X Window System displays cannot be exportedpublicly. Location


Compliance actionDisables the dissemination ofthe specified programs.

GEN005220 1,2 The .Xauthority or X*.hosts (or equivalent) filesmust be used to restrict access to the X WindowSystem server.

Location/etc/security/pscexpert/dodv2/dodv2disableX

Compliance actionEnsures that the specified filesare available to restrict accessto the server.

GEN005240 1,2 The .Xauthority utility must allow access only toauthorized hosts. Location


Compliance actionEnsures that the access islimited to authorized hosts.

GEN005260 2 This rule disables X Window System connections andXServer login manager. Location


Compliance actionDisables the requiredconnections and loginmanager.


|

|||

||||

|||

||||||

|||

|||

|||||||

|||

|||||||

|||

|||||||

|||

||||||||

||||

|||||||

|||

|||||||

||||





GEN005280 1,2,3 The system must not have the UUCP service active.Location



GEN005300 2 SNMP communities must be changed from thedefault settings. Location

/etc/security/pscexpert/dodv2/chsnmp


GEN005305 2 SNMP service must use only SNMPv3 or a laterversion. Location



GEN005306 2 SNMP service must require the use of a FIPS 140-2.Location



GEN005440 2 The system must use a remote syslog server (loghost). Location

/etc/security/pscexpert/dodv2/EnableTrustedLogging

Compliance actionEnsures that the system isusing a remote syslog server.








|

|||

||||

|||

||||||

|||||

|||||||

|||

|||||||

|||

||||||

|||

|||||||

|||

|||||||

|||

|||||||

|||








GEN005500 2 The SSH daemon must be configured to use only theSecure Shell version 2 (SSHv2) protocol. Location



GEN005501 2 The SSH client must be configured to use only theSSHv2 protocol. Location



GEN005504 2 The SSH daemon must only listen on managementnetwork addresses, unless it is authorized for usesother than management.

Location/etc/security/pscexpert/dodv2/sshDoDconfig


GEN005505 2 The SSH daemon must be configured to use onlyciphers that conform to Federal InformationProcessing Standards (FIPS) 140-2 standards.



GEN005506 2 The SSH daemon must be configured to use onlyciphers that conform to FIPS 140-2 standards. Location



GEN005507 2 The SSH daemon must be configured to use onlyMessage Authentication Codes (MACs) withcryptographic hash algorithms that conform to FIPS140-2 standards.



GEN005510 2 The SSH client must be configured to use only MACswith ciphers that conform to FIPS 140-2 standards. Location




|

|||

||||

|||

|||||||

|||

|||||||

|||

|||||||

|||

||||||||

|||

||||||||

|||

|||||||

|||

||||||

|||

|||

|||||||

|||





GEN005511 2 The SSH client must be configured to use only MACswith ciphers that conform to FIPS 140-2 standards. Location



GEN005512 2 The SSH daemon must be configured to use onlyMACs with cryptographic hash algorithms thatconform to FIPS 140-2 standards.



GEN005521 2 The SSH daemon must restrict login to specific users,groups, or both. Location



GEN005536 2 The SSH daemon must perform strict mode checkingof the home directory configuration files. Location



GEN005537 2 The SSH daemon must use privilege separation.Location



GEN005538 2 The SSH daemon must not allow rhosts toauthenticate by using the Rivest-Shamir-Adleman(RSA) cryptosystem.



GEN005539 2 The SSH daemon must not allow compression or mustallow compression only after a successfulauthentication.



GEN005550 2 The SSH daemon must be configured with the DoDlogon banner. Location




|

|||

||||

|||

|||||||

|||

||||||||

|||

|||||||

|||

|||||||

|||

||||||

|||

||||||||

|||

||||||||

|||

|||||||

|||





GEN005560 2 Determine whether there is a default gateway that isconfigured for IPv4. Location

/etc/security/pscexpert/dodv2/chkgtway

Compliance actionEnsures that the system meetsthe specified requirements.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.Note: If your system isrunning the IPv6 protocol,ensure that the ipv6_enabledsetting in the/etc/security/pscexpert/ipv6.conf file is set to thevalue of yes. If system is notusing IPv6, then ensure thatthe ipv6_enabled value is set tono.

GEN005570 2 Determine whether there is a default gateway that isconfigured for IPv6. Location

/etc/security/pscexpert/dodv2/chkgtway

Compliance actionEnsures that the system meetsthe specified requirements.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.Note: If your system isrunning the IPv6 protocol,ensure that the ipv6_enabledsetting in the/etc/security/pscexpert/ipv6.conf file is set to thevalue of yes. If system is notusing IPv6, then ensure thatthe ipv6_enabled value is set tono.

GEN005590 2 The system must not be running any routing protocoldaemons, unless the system is a router. Location




|

|||

||||

|||

|||||||

||||||||||||||||||||

|||||||

||||||||||||||||||||

|||||||

|||





GEN005590 2 The system must not be running any routing protocoldaemons, unless the system is a router. Location



GEN005600 2 IP forwarding for IPv4 must not be enabled unlessthe system is a router. Location


Compliance actionSets the value of theipforwarding network optionto 0.

GEN005610 2 The system must not have IP forwarding for IPv6enabled unless the system is an IPv6 router. Location


Compliance actionSets the value of theip6forwarding network optionto 1.

GEN005820 2 The NFS anonymous UID and GID must beconfigured to values without permissions. Location

/etc/security/pscexpert/dodv2/nfsoptions

Compliance actionEnsures that the specified IDsdo not have permissions.

GEN005840 2 The NFS server must be configured to restrict filesystem access to local hosts. Location


Compliance actionConfigures NFS server torestrict access to local hosts.

GEN005880 2 The NFS server must not allow remote root access.Location


Compliance actionDisables remote root access onthe NFS server.

GEN005900 2 The nosuid option must be enabled on all NFS clientmounts. Location

/etc/security/pscexpert/dodv2/nosuid

Compliance actionEnables the nosuid option onall NFS client mounts.


|

|||

||||

|||

|||||||

|||

|||||||

||||

|||||||

||||

|||||||

|||

|||||||

|||

||||||

|||

|||||||

|||





GEN006060 2 The system must not run Samba unless it is needed.Location



GEN006380 1 The system must not use UDP for NIS or NIS+.Location



GEN006400 2 The Network Information System (NIS) protocol mustnot be used. Location

/etc/security/pscexpert/dodv2/nisplus

Compliance actionDisables the specified protocol.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN006420 2 NIS maps must be protected by using hard-to-guessdomain names. Location


Compliance actionEnsures that domain namesare not easy to determine.

GEN006460 2 Any NIS+ server must be operating at security level2. Location


Compliance actionEnsures that the server is atthe specified minimumsecurity level.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.





|

|||

||||

|||

||||||

|||

||||||

|||

|||||||

|||||||||

|||||||

|||

|||||||

|||||||||||

||||||||

|||








GEN006580 2 The system must use an access control program.Location

/etc/security/pscexpert/dodv2/checktcpd


GEN006600 2 The system's access control program must log eachsystem access attempt. Location


Compliance actionEnsures that access attemptsare logged.

GEN006620 2 The system's access control program must beconfigured to grant or deny system access to specifichosts.

Location/etc/security/pscexpert/dodv2/chetchostsdod

Compliance actionConfigures the hosts.deny andhosts.allow files to therequired settings.

GEN007020 2 The Stream Control Transmission Protocol (SCTP)must be disabled. Location


Compliance actionDisables the specified protocol.

GEN007700 2 The IPv6 protocol handler must not be bound to thenetwork stack unless it is needed. Location

/etc/security/pscexpert/dodv2/rminet6

Compliance actionDisables the IPv6 protocolhandler from the networkstack, unless the handler isspecified in the/etc/ipv6.conf file.Note: If your system isrunning the IPv6 protocol,ensure that the ipv6_enabledsetting in the/etc/security/pscexpert/ipv6.conf file is set to thevalue of yes. If system is notusing IPv6, then ensure thatthe ipv6_enabled value is set tono.


|

|||

||||

|||

||||||||

|||

||||||

|||

|||||||

|||

||||||||

||||

|||||||

||

|||||||

||||||||||||||||





GEN007780 2 The system must not have 6to4 tunnels enabled.Location

/etc/security/pscexpert/dodv2/rmiface

Compliance actionDisables the specified tunnels.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN007820 2 The system must not have IP tunnels configured.Location

/etc/security/pscexpert/dodv2/rmtunnel

Compliance actionDisables IP tunnels.Note: This setting is notautomatically changed whenthe policy is reset to the AIXdefault policy by using theDoDv2_to_AIXDefault.xml file.You must manually changethis setting.

GEN007840 2 The DHCP client must be disabled if it is not used.Location



GEN007850 2 The DHCP client must not send dynamic DNS updates.Location



GEN007860 2 The system must ignore IPv6 ICMP redirectmessages. Location


Compliance actionSets the value of theipignoreredirects networkoption to 1.

GEN007880 2 The system must not send IPv6 ICMP redirects.Location


Compliance actionSets the value of theipsendredirects networkoption to 0.


|

|||

||||

|||

||||||

|||||||||

||||||

|||||||||

||||||

|||

||||||

|||

|||||||

||||

||||||

||||





GEN007900 2 The system must use an appropriate reverse-pathfilter for IPv6 network traffic, if the system uses IPv6. Location



GEN007920 2 The system must not forward IPv6 source-routedpackets. Location


Compliance actionSets the value of theip6srcrouteforward networkoption to 0.

GEN007940:GEN003607

2 The system must not accept source-routed IPv4 orIPv6 packets. Location


Compliance actionSets the value of theipsrcrouterecv networkoption to 0.

GEN007950 2 The system must not respond to ICMPv6 echorequests that are sent to a broadcast address. Location



GEN008000 2 If the system is using Lightweight Directory AccessProtocol (LDAP) for authentication or accountinformation, certificates that are used to authenticateto the LDAP server must be provided from DoD PKIor a DoD-approved method.

Location/etc/security/pscexpert/dodv2/ldap_config


GEN008020 2 If the system is using LDAP for authentication oraccount information, the LDAP Transport LayerSecurity (TLS) connection must require the server toprovide a certificate with a valid trust path.



GEN008050 2 If the system is using LDAP for authentication oraccount information, the /etc/ldap.conf file (orequivalent) must not contain passwords.




|

|||

||||

|||

|||||||

|||

|||||||

||||

||||||||

||||

|||||||

|||

|||||||

|||

|||

||||||

|||

|||

||||||||

|||








GEN008520 2 The system must employ a local firewall that guardsthe host against port scans. The firewall must shunvulnerable ports for 5 minutes to guard the hostagainst port scans.

Location/etc/security/pscexpert/dodv2/ipsecshunports


GEN008540 2 The system's local firewall must implement a deny-all,allow-by-exception policy. Location

/etc/security/pscexpert/dodv2/ipsecshunhosthls

Compliance actionEnsures that the system meetsthe specified requirements.Note: You can enter additionalfilter rules in the/etc/security/aixpert/bin/filter.txt file. These rules areintegrated by theipsecshunhosthls.sh scriptwhen you apply the profile.The entries should be in thefollowing format:

port_number:ip_address:action

where the possible values foraction are Allow or Deny.

GEN008600 1 The system must be configured to start only from thesystem boot configuration. Location


Compliance actionEnsures that the starting thesystem only uses the systemboot configuration.

GEN008640 1 The system must not use removable media as theboot loader. Location


Compliance actionEnsures that the system doesnot boot from a removabledrive.


|

|||

||||

|||

||||||||

|||

||||||

|||

|||

|||||||

||||||||||||||

||

|||||||

||||

|||||||

||||





GEN009140 1,2,3 The system must not have the chargen service active.Location



GEN009160 1,2,3 The system must not have the Calendar ManagementService Daemon (CMSD) service active. Location



GEN009180 1,2,3 The system must not have the tool-talk databaseserver (ttdbserver) service active. Location



GEN009190 1,2,3 The system must not have the comsat service active.Location



GEN009200-9330 1,2,3 The system cannot have other services and daemonsactive. Location



GEN009210 2 The system must not have the discard service active.Location




|

|||

||||

|||

||||||

|||||

|||||||

|||||

|||||||

|||||

||||||

|||||

|||||||

|||||

||||||

|||||





GEN009220 2 The system must not have the dtspc service active.Location



GEN009230 2 The system must not have the echo service active.Location



GEN009240 2 The system must not have Internet Message AccessProtocol (IMAP) service active. Location



GEN009250 2 The system must not have the PostOffice Protocol(POP3) service active. Location



GEN009260 2 The system must not have the talk or ntalk servicesactive. Location



GEN009270 2 The system must not have the netstat service activeon the InetD process. Location




|

|||

||||

|||

||||||

|||||

||||||

|||||

|||||||

|||||

|||||||

|||||

|||||||

|||||

|||||||

|||||





GEN009280 2 The system must not have the PCNFS service active.Location



GEN009290 2 The system must not have the systat service active.Location



GEN009300 2 The inetd time service must not be active on thesystem on the inetd daemon. Location



GEN009310 2 The system must not have the rusersd service active.Location



GEN009320 2 The system must not have the sprayd service active.Location



GEN009330 2 The system must not have the rstatd service active.Location




|

|||

||||

|||

||||||

|||||

||||||

|||||

|||||||

|||||

||||||

|||||

||||||

|||||

||||||

|||||





GEN009340 2 X server login managers must not be running unlessthey are needed for X11 session management. Location


Compliance actionThis rule disables X WindowSystem connections andXServer login manager.

Table 3. DoD ownership requirements

Department ofDefense STIGcheckpoint ID Description

Location of the script where the action is defined andthe results of the action that enables compliance

AIX00085 The /etc/netsvc.conf file must be owned byroot. Location

/etc/security/pscexpert/dodv2/chowndodfiles

Compliance actionEnsures that the specified file is owned byroot.

AIX00090 The /etc/netsvc.conf file must begroup-owned by bin, sys, or system. Location


Compliance actionEnsures that the specified file is group-ownedby bin, sys, or system.

AIX00320 The /etc/ftpaccess.ctl file must be ownedby root. Location



AIX00330 The /etc/ftpaccess.ctl file must begroup-owned by bin, sys, or system. Location



GEN000250 The time synchronization configuration file(such as /etc/ntp.conf) must be owned byroot.

Location/etc/security/pscexpert/dodv2/chowndodfiles


GEN000251 The time synchronization configuration file(such as /etc/ntp.conf) must be group-ownedby bin, sys, or system.




|

|||

||||

|||

|||||||

|||||

||

||||||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

|||||||

|||

|||||||

|||

Table 3. DoD ownership requirements (continued)



GEN001160 All files and directories must have a validowner. Location


Compliance actionEnsures that all files and directories have avalid owner.

GEN001170 All files and directories must have a validgroup owner. Location


Compliance actionEnsures that all files and directories have avalid owner.

GEN001220 All system files, programs, and directoriesmust be owned by a system account. Location


Compliance actionEnsures that the system files, programs, anddirectories are owned by a system account.

GEN001240 System files, programs, and directories must begroup-owned by a system group. Location


Compliance actionAll system files, programs, and directories aregroup-owned by a system group.

GEN001320 Network Information Systems (NIS)/NIS+/ypfiles must be owned by root, sys, or bin. Location


Compliance actionEnsures that the specified files are owned byroot, sys, or bin.

GEN001340 NIS/NIS+/yp files must be group-owned bysys, bin, other, or system. Location


Compliance actionEnsures that the specified files are owned bysys, bin, other, or system.

GEN001362 The /etc/resolv.conf file must be owned byroot. Location



GEN001363 The /etc/resolv.conf file must begroup-owned by bin, sys, or system. Location




|

||||||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

||||||

|||




GEN001366 The /etc/hosts file must be owned by root.Location



GEN001367 The /etc/hosts file must be group-owned bybin, sys, or system. Location



GEN001371 The /etc/nsswitch.conf file must be ownedby root. Location



GEN001372 The /etc/nsswitch.conf file must begroup-owned by root, bin, sys, or system. Location


Compliance actionEnsures that the specified file is group-ownedby root, bin, sys, or system.

GEN001378 The /etc/passwd file must be owned by root.Location



GEN001379 The /etc/passwd file must be group-owned bybin, security, sys, or system. Location


Compliance actionEnsures that the specified file is group-ownedby bin, security, sys, or system.

GEN001391 The /etc/group file must be owned by rootLocation



GEN001392 The /etc/group file must be group-owned bybin, security, sys, or system. Location




|

||||||

|||||

|||

||||||

|||

||||||

|||

||||||

|||

|||||

|||

||||||

|||

|||||

|||

||||||

|||




GEN001400 The /etc/security/passwd file must be ownedby root. Location



GEN001410 The /etc/security/passwd file must begroup-owned by bin, security, sys, or system. Location



GEN001500 All interactive users' home directories must beowned by their respective users. Location


Compliance actionEnsures that all of the interactive users' homedirectories must be owned by their respectiveusers.

GEN001520 All interactive users' home directories must begroup-owned by the home directory owner'sprimary group.


Compliance actionEnsures that all interactive users' homedirectories are group-owned by the homedirectory owner's primary group.

GEN001540 All files and directories that are contained inthe interactive user's home directories must beowned by the home directory's owner.


Compliance actionEnsures that all files and directories that arecontained in the interactive user's homedirectories are owned by the home directory'sowner.

GEN001550 All files and directories that are contained inthe user's home directories must begroup-owned by a group in which the homedirectory's owner is a member.


Compliance actionEnsures that all files and directories that arecontained in the user's home directories mustbe group-owned by a group in which thehome directory's owner is a member.

GEN001660 All system start files must be owned by root.Location


Compliance actionEnsures that the specified files are owned byroot.


|

||||||

||||||

|||

||||||

|||

||||||

||||

|||||||

||||

|||||||

|||||

|||||

|||

|||||

|||||

|||




GEN001680 All system start files must be group-owned bysys, bin, other, or system. Location


Compliance actionEnsures that the specified files aregroup-owned by sys, bin, other, or system.

GEN001740 All global initialization files must be owned byroot. Location



GEN001760 All global initialization files must begroup-owned by sys, bin, system, or security. Location


Compliance actionEnsures that the specified files aregroup-owned by sys, bin, system, or security.

GEN001820 All skeleton files and directories (typically in/etc/skel) must be owned by root or bin. Location


Compliance actionEnsures that the specified files and directoriesare owned by root or bin.

GEN001830 All skeleton files (typically in /etc/skel) mustbe group-owned by security. Location


Compliance actionEnsures that the specified files aregroup-owned by security.

GEN001860 All local initialization files must be owned bythe user or root. Location


Compliance actionEnsures that the specified files are owned bythe user or root.

GEN001870 Local initialization files must be group-ownedby the user's primary group or root. Location


Compliance actionEnsures that the local initialization files mustbe group-owned by the user's primary groupor root.


|

||||||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

||||||

||||




GEN002060 All .rhosts, .shosts, .netrc, or hosts.equivfiles must be accessible by only root or theowner.



Compliance actionEnsures that only the root or the owner canaccess the specified files.

GEN002100 The .rhosts file must not be supported by thePluggable Authentication Module (PAM). Location


Compliance actionEnsures that the specified file is not availableby using PAM.

GEN002200 All shell files must be owned by root or bin.Location


Compliance actionEnsures that the specified files are owned byroot or bin.

GEN002210 All shell files must be group-owned by root,bin, sys, or system. Location


Compliance actionEnsures that the specified files aregroup-owned by root, bin, sys, or system.

GEN002340 Audio devices must be owned by root.Location


Compliance actionEnsures that all audio devices are owned byroot.

GEN002360 Audio devices must be group-owned by root,sys, bin, or system. Location


Compliance actionEnsures that all audio devices aregroup-owned by root, sys, bin, or system.

GEN002520 All public directories must be owned by rootor an application account. Location


Compliance actionEnsures that all public directories are ownedby root or an application account.


|

||||||

|||||||

|

|||

||||||

|||

|||||

|||

||||||

|||

|||||

|||

||||||

|||

||||||

|||




GEN002540 All public directories must be group-owned bysystem or an application group. Location


Compliance actionEnsures that all public directories aregroup-owned by system or an applicationgroup.

GEN002680 System audit logs must be owned by root.Location



GEN002690 System audit logs must be group-owned bybin, sys, or system. Location


Compliance actionEnsures that the specified files aregroup-owned by bin, sys, or system.

GEN003020 Cron must not run programs in, or subordinateto, world-writable directories. Location


Compliance actionPrevents cron from running programs in, orsubordinate to, world-writable directories.

GEN003040 Crontabs must be owned by root or thecrontab creator. Location


Compliance actionEnsures that crontabs are owned by root or bythe crontab creator.

GEN003050 Crontab files must be group-owned by system,cron, or the crontab creator's primary group. Location


Compliance actionEnsures that the crontab files aregroup-owned by system, cron, or the crontabcreator's primary group.

GEN003110 Cron and crontab directories must not haveextended access control lists. Location


Compliance actionEnsures that the specified directories do nothave extended access control lists.


|

||||||

||||||

||||

|||||

|||

||||||

|||

||||||

|||

||||||

|||

||||||

||||

||||||

|||




GEN003120 Cron and crontab directories must be ownedby root or bin. Location


Compliance actionEnsures that cron and crontab directories areowned by root or bin.

GEN003140 Cron and crontab directories must begroup-owned by system, sys, bin, or cron. Location


Compliance actionEnsures that the specified directories aregroup-owned by system, sys, bin, or cron.

GEN003160 Cron logging must be implemented.Location


Compliance actionEnsures that cron logging is implemented.

GEN003240 The cron.allow file must be owned by root,bin, or sys. Location


Compliance actionEnsures that the specified file is owned byroot, bin, or sys.

GEN003250 The cron.allow file must be group-owned bysystem, bin, sys, or cron. Location


Compliance actionEnsures that the specified file is group-ownedby system, bin, sys, or cron.

GEN003260 The cron.deny file must be owned by root, bin,or sys. Location



GEN003270 The cron.deny file must be group-owned bysystem, bin, sys, or cron. Location



GEN003420 The at directory must be owned by root, bin,sys, daemon, or cron. Location


Compliance actionEnsures that the specified directory is ownedby root, sys, daemon, or cron.


|

||||||

||||||

|||

||||||

|||

|||||

||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

||||||

|||




GEN003430 The at directory must be group-owned bysystem, bin, sys, or cron. Location


Compliance actionEnsures that the specified directory isgroup-owned by system, bin, sys, or cron.

GEN003460 The at.allow file must be owned by root, bin,or sys. Location



GEN003470 The at.allow file must be group-owned bysystem, bin, sys, or cron. Location



GEN003480 The at.deny file must be owned by root, bin,or sys. Location



GEN003490 The at.deny file must be group-owned bysystem, bin, sys, or cron. Location



GEN003720 The inetd.conf file, xinetd.conf file, and thexinetd.d directory must be owned by root orbin.


Compliance actionEnsures that the specified files and directoryare owned by root or bin.

GEN003730 The inetd.conf file, xinetd.conf file, and thexinetd.d directory must be group-owned bybin, sys, or system.


Compliance actionEnsures that the specified files and directoryare group-owned by bin, sys, or system.

GEN003760 The services file must be owned by root orbin. Location


Compliance actionEnsures that the specified file is owned byroot or bin.


|

||||||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

|||||||

|||

|||||||

|||

||||||

|||




GEN003770 The services file must be group-owned bybin, sys, or system. Location



GEN003920 The hosts.lpd (or equivalent) file must beowned by root, bin, sys, or lp. Location


Compliance actionEnsures that the specified file is owned byroot, bin, sys, or lp.

GEN003930 The hosts.lpd (or equivalent) file must begroup-owned by bin, sys, or system. Location



GEN003960 The traceroute command owner must be root.Location


Compliance actionEnsures that the owner of the command isroot.

GEN003980 The traceroute command must begroup-owned by sys, bin, or system. Location


Compliance actionEnsures that the command is group-owned bysys, bin, or system.

GEN004360 The alias file must be owned by root.Location



GEN004370 The aliases file must be group-owned by sys,bin, or system. Location


Compliance actionEnsures that the specified file is group-ownedby sys, bin, or system.


|

||||||

||||||

|||

||||||

|||

||||||

|||

|||||

|||

||||||

|||

|||||

|||

||||||

|||




GEN004400 Files that are run through a mail aliases filemust be owned by root and must be locatedwithin a directory that is owned and writableonly by root.


Compliance actionEnsures that files that are run through a mailaliases file are owned by root and are locatedwithin a directory that is owned and writableonly by root.

GEN004410 Files that are run through a mail aliases filemust be group-owned by root, bin, sys, orother. They must also be located within adirectory that is group-owned by root, bin, sys,or other.


Compliance actionEnsures that files that are run through a mailaliases file are group-owned by root, bin, sys,or other. and are located within a directorythat is group-owned by root, bin, sys, or other.

GEN004480 The SMTP service log file must be owned byroot. Location



GEN004920 The ftpusers file must be owned by root.Location



GEN004930 The ftpusers file must be group-owned bybin, sys, or system. Location



GEN005360 The snmpd.conf file must be owned by root.Location



GEN005365 The snmpd.conf file must be group-owned bybin, sys, or system. Location




|

||||||

|||||

|||

|||||

||||||

|||

|||||

||||||

|||

|||||

|||

||||||

|||

|||||

|||

||||||

|||




GEN005400 The /etc/syslog.conf file must be owned byroot. Location



GEN005420 The /etc/syslog.conf file must begroup-owned by bin, sys, or system. Location



GEN005610 The system must not have IP forwarding forIPv6 enabled, unless the system is an IPv6router.


Compliance actionEnsures that IP forwarding for IPv6 is notenabled unless the system is being used as anIPv6 router.

GEN005740 The NFS export configuration file must beowned by root. Location



GEN005750 The NFS export configuration file must begroup-owned by root, bin, sys, or system. Location


Compliance actionEnsures that the specified file is group-ownedby root, bin, sys, or system.

GEN005800 All NFS-exported system files and systemdirectories must be owned by root. Location



GEN005810 All NFS-exported system files and systemdirectories must be group-owned by root, bin,sys, or system.


Compliance actionEnsures that the specified files and directoriesare group-owned by root, bin, sys, or system.

GEN006100 The /usr/lib/smb.conf file must be owned byroot. Location




|

||||||

||||||

|||

||||||

|||

|||||||

||||

||||||

|||

||||||

|||

||||||

|||

|||||||

|||

||||||

|||




GEN006120 The /usr/lib/smb.conf file must begroup-owned by bin, sys, or system. Location



GEN006160 The /var/private/smbpasswd file must beowned by root. Location



GEN006180 The /var/private/smbpasswd file must begroup-owned by sys or system. Location


Compliance actionEnsures that the specified file is group-ownedby sys or system.

GEN006340 Files in the /etc/news directory must be ownedby root or news. Location


Compliance actionEnsures that the specified directory is ownedby root or news.

GEN006360 The files in /etc/news must be group-ownedby system or news. Location


Compliance actionEnsures that the specified files aregroup-owned by system or news.

GEN008080 If the system is using LDAP for authenticationor account information, the /etc/ldap.conf (orequivalent) file must be owned by root.



GEN008100 If the system is using LDAP for authenticationor account information, the /etc/ldap.conf (orequivalent) file must be group-owned bysecurity, bin, sys, or system.



GEN008140 If the system is using LDAP for authenticationor account information, the TLS certificateauthority file or directory must be owned byroot.




|

||||||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

||||||

|||

|||||||

|||

|||||

|||

|||

|||||

|||

|||




GEN008160 If the system is using LDAP for authenticationor account information, the TLS certificateauthority file or directory must begroup-owned by root, bin, sys, or system.



Table 4. DoD standards for file permissions


Location of the script where the action is definedand the results of the action that enablescompliance

AIX00100 The /etc/netsvc.conf file must have mode 0644 ora mode that is less permissive. Location


Compliance actionEnsures that the file is set to thespecified permission mode, or to onethat is less permissive.

AIX00340 The /etc/ftpaccess.ctl file must have mode 0640or a mode that is less permissive. Location



GEN000252 The time synchronization configuration file (such as/etc/ntp.conf) must have mode 0640 or a modethat is less permissive.

Location/etc/security/pscexpert/dodv2/fpmdodfiles


GEN000920 The root account's home directory (other than /)must have mode 0700. Location


Compliance actionEnsures that the directory is set to thespecified permission mode, or to onethat is less permissive.

GEN001140 System files and directories must not have unevenaccess permissions. Location


Compliance actionEnsures that the access permissions areconsistent.


|

||||||

|||||

|||

||||

||

||||

|||

||||||

||||

||||||

||||

|||||||

||||

||||||

||||

||||||

|||

Table 4. DoD standards for file permissions (continued)



GEN001180 All network services daemon files must have mode0755 or a mode that is less permissive. Location


Compliance actionEnsures that the files are set to thespecified permission mode, or to onethat is less permissive.

GEN001200 All system command files must have mode 0755 ora mode that is less permissive. Location



GEN001260 System log files must have mode 0640 or a modethat is less permissive. Location



GEN001280 Manual page files must have mode 0644 or a modethat is less permissive. Location



GEN001300 Library files must have mode 0755 or a mode that isless permissive. Location



GEN001360 The NIS/NIS+/yp files must have mode 0755 or amode that is less permissive. Location



GEN001364 The /etc/resolv.conf file must have mode 0644 ora mode that is less permissive. Location




|

||||

|||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||




GEN001368 The /etc/hosts file must have mode 0644 or a modethat is less permissive. Location



GEN001373 The /etc/nsswitch.conf file must have mode 0644or a mode that is less permissive. Location



GEN001380 The /etc/passwd file must have mode 0644 or amode that is less permissive. Location



GEN001393 The /etc/group file must have mode 0644 or a modethat is less permissive. Location



GEN001420 The /etc/security/passwd file must have mode0400. Location



GEN001480 All of a user's home directories must have a modeof 0750 or less permissive. Location



GEN001560 All files and directories that are contained in a user'shome directories must have mode 0750 or a modethat is less permissive.




|

||||

|||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

|||||||

||||




GEN001580 All run control scripts must have mode 0755 or amode that is less permissive. Location



GEN001640 Run control scripts must not run world-writableprograms or scripts. Location


Compliance actionChecks programs, such as cron, forworld-writable programs or scripts.

GEN001720 All global initialization files must have mode 0644or a mode that is less permissive. Location



GEN001800 All skeleton files (for example, files in /etc/skel)must have mode 0644 or a mode that is lesspermissive.



GEN001880 All local initialization files must have mode 0740 ora mode that is less permissive. Location



GEN002220 All shell files must have mode 0755 or a mode thatis less permissive. Location



GEN002320 Audio devices must have mode 0660 or a mode thatis less permissive. Location


Compliance actionEnsures that the audio devices are set tothe specified permission mode, or onethat is less permissive,


|

||||

|||

||||||

||||

||||||

|||

||||||

||||

|||||||

||||

||||||

||||

||||||

||||

||||||

||||




GEN002560 The system and user default umask must be 077.Location


Compliance actionEnsures that the specified settings are077.

GEN002700 System audit logs must have mode 0640 or a modethat is less permissive. Location



GEN002717 System audit tool executable files must have mode0750 or a mode that is less permissive. Location



GEN002980 The cron.allow file must have mode 0600 or a modethat is less permissive. Location



GEN003080 Crontab files must have mode 0600 or a mode thatis less permissive. Location



GEN003090 Crontab files must not have extended access controllists (ACLs). Location


Compliance actionEnsures that the specified files do nothave extended ACLs.

GEN003100 Cron and crontab directories must have mode 0755or a mode that is less permissive. Location


Compliance actionEnsures that the specified directories areset to the specified permissions mode, orto one that is less permissive.


|

||||

|||

|||||

|||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

|||

||||||

||||




GEN003180 The cronlog file must have mode 0600 or a modethat is less permissive. Location



GEN003200 The cron.deny file must have mode 0600 or a modethat is less permissive. Location



GEN003252 The at.deny file must have mode 0640 or a modethat is less permissive. Location



GEN003340 The at.allow file must have mode 0600 or a modethat is less permissive. Location



GEN003400 The at directory must have mode 0755 or a modethat is less permissive. Location


Compliance actionEnsures that the directory is set to thespecified permission mode, or to onethat is less permissive.

GEN003440 At jobs must not set the umask parameter to a valueless restrictive than 077. Location


Compliance actionEnsures that the parameter is set to thespecified permission mode, or to onethat is less permissive.

GEN003740 The inetd.conf and xinetd.conf files must havemode 0440 or a mode that is less permissive. Location




|

||||

|||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||




GEN003780 The services file must have mode 0444 or a modethat is less permissive. Location



GEN003940 The hosts.lpd file (or equivalent) must have mode0644 or a mode that is less permissive. Location



GEN004000 The traceroute file must have mode 0700 or a modethat is less permissive. Location



GEN004380 The alias file must have mode 0644 or a mode thatis less permissive. Location



GEN004420 Files that are run through a mail aliases file musthave mode 0755 or a mode that is less permissive. Location



GEN004500 The SMTP service log file must have mode 0644 or amode that is less permissive. Location



GEN004940 The ftpusers file must have mode 0640 or a modethat is less permissive. Location




|

||||

|||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||




GEN005040 All FTP users must have a default umask setting of077. Location


Compliance actionEnsures that the setting is correct.

GEN005100 The TFTP daemon must have mode 0755 or a modethat is less permissive. Location


Compliance actionEnsures that the daemon is set to thespecified mode, or to one that is lesspermissive.

GEN005180 All .Xauthority files must have mode 0600 or amode that is less permissive. Location



GEN005320 The snmpd.conf file must have mode 0600 or a modethat is less permissive. Location



GEN005340 Management Information Base (MIB) files must havemode 0640 or a mode that is less permissive. Location



GEN005390 The /etc/syslog.conf file must have mode 0640 ora mode that is less permissive. Location



GEN005522 The SSH public host key files must have mode 0644or a mode that is less permissive. Location




|

||||

|||

||||||

||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

||||||

||||




GEN005523 The SSH private host key files must have mode 0600or a mode that is less permissive. Location



GEN006140 The /usr/lib/smb.conf file must have mode 0644 ora mode that is less permissive. Location



GEN006200 The /var/private/smbpasswd file must have mode0600 or a mode that is less permissive. Location



GEN006260 The /etc/news/hosts.nntp file (or equivalent) musthave mode 0600 or a mode that is less permissive. Location



GEN006280 The /etc/news/hosts.nntp.nolimit file (orequivalent) must have mode 0600 or a mode that isless permissive.



GEN006300 The /etc/news/nnrp.access file (or equivalent) musthave mode 0600 or a mode that is less permissive. Location



GEN006320 The /etc/news/passwd.nntp file (or equivalent) musthave mode 0600 or a mode that is less permissive. Location




|

||||

|||

||||||

||||

||||||

||||

||||||

||||

||||||

||||

|||||||

||||

||||||

||||

||||||

||||




GEN008060 If the system is using LDAP for authentication oraccount information, the /etc/ldap.conf (orequivalent) file must have mode 0644 or lesspermissive.



GEN008180 If the system is using LDAP for authentication oraccount information, the TLS certificate authorityfile, directory, or both must have mode 0644 (0755for directories) or less permissive.


Compliance actionEnsures that the specified file,directories, or both, are set to thespecified permission mode, or to onethat is less permissive.

Table 5. DoD access control list (ACL) requirements



AIX00110 The /etc/netsvc.conf file must not have anextended access control list (ACL). Location

/etc/security/pscexpert/dodv2/acldodfiles

Compliance actionDisables the specified extended ACL.Note: This setting is not automaticallychanged when the policy is reset to theAIX default policy by using theDoDv2_to_AIXDefault.xml file. You mustmanually change this setting.

AIX00350 The /etc/ftpaccess.ctl file must not have anextended ACL. Location



GEN000253 The time synchronization configuration file (such as/etc/ntp.conf) must not have an extended ACL. Location




|

||||

|||

|||||

|||

||||

|||||

|||

||||||

||

||||

|||

||||||

|||||||

||||||

|||||||

||||||

|||||||

Table 5. DoD access control list (ACL) requirements (continued)



GEN000930 The root account's home directory must not have anextended ACL. Location



GEN001190 All network services daemon files must not haveextended ACLs. Location



GEN001210 All system command files must not have extendedACLs. Location



GEN001270 System log files must not have extended ACLs,except as needed to support authorized software. Location



GEN001310 All library files must not have extended ACLs.Location




|

||||

|||

||||||

|||||||

||||||

|||||||

||||||

|||||||

||||||

|||||||

|||||

|||||||




GEN001361 NIS/NIS+/yp command files must not haveextended ACLs. Location



GEN001365 The /etc/resolv.conf file must not have anextended ACL. Location



GEN001369 The /etc/hosts file must not have an extended ACL.Location



GEN001374 The /etc/nsswitch.conf file must not have anextended ACL. Location



GEN001390 The /etc/passwd file must not have an extendedACL. Location




|

||||

|||

||||||

|||||||

||||||

|||||||

|||||

|||||||

||||||

|||||||

||||||

|||||||




GEN001394 The /etc/group file must not have an extended ACL.Location



GEN001430 The /etc/security/passwd file must not have anextended ACL. Location



GEN001570 All files and directories that are contained in userhome directories must not have extended ACLs. Location



GEN001590 All run control scripts must have no extended ACLs.Location



GEN001730 All global initialization files must not have extendedACLs. Location




|

||||

|||

|||||

|||||||

||||||

|||||||

||||||

|||||||

|||||

|||||||

||||||

|||||||




GEN001810 Skeleton files must not have extended ACLs.Location



GEN001890 Local initialization files must not have extendedACLs. Location



GEN002230 All shell files must not have extended ACLsLocation



GEN002330 Audio devices must not have extended ACLs.Location



GEN002710 All system audit files must not have extended ACLsLocation




|

||||

|||

|||||

|||||||

||||||

|||||||

|||||

|||||||

|||||

|||||||

|||||

|||||||




GEN002990 Extended ACLs should be disabled for thecron.allow and cron.deny files. Location



GEN003090 Crontab files must not have extended ACLs.Location



GEN003110 Cron and crontab directories must not haveextended ACLs. Location



GEN003190 The cron log files must not have extended ACLs.Location



GEN003210 The cron.deny file must not have an extended ACL.Location




|

||||

|||

||||||

|||||||

|||||

|||||||

||||||

|||||||

|||||

|||||||

|||||

|||||||




GEN003245 The at.allow file must not have an extended ACL.Location



GEN003255 The at.deny file must not have an extended ACL.Location



GEN003410 The at directory must not have an extended ACL.Location



GEN003745 The inetd.conf and xinetd.conf files must not haveextended ACLs. Location



GEN003790 The services file must not have an extended ACL.Location




|

||||

|||

|||||

|||||||

|||||

|||||||

|||||

|||||||

||||||

|||||||

|||||

|||||||




GEN003950 The hosts.lpd file (or equivalent) must not have anextended ACL. Location



GEN004010 The traceroute file must not have an extended ACL.Location



GEN004390 The alias file must not have an extended ACL.Location



GEN004430 Files that are run through a mail aliases file mustnot have extended ACLs. Location



GEN004510 The SMTP service log file must not have anextended ACL. Location




|

||||

|||

||||||

|||||||

|||||

|||||||

|||||

|||||||

||||||

|||||||

||||||

|||||||




GEN004950 The ftpusers file must not have an extended ACL.Location



GEN005190 The .Xauthority files must not have extended ACLs.Location



GEN005350 Management Information Base (MIB) files must nothave extended ACLs. Location



GEN005375 The snmpd.conf file must not have an extended ACLLocation



GEN005395 The /etc/syslog.conf file must not have anextended ACL. Location




|

||||

|||

|||||

|||||||

|||||

|||||||

||||||

|||||||

|||||

|||||||

||||||

|||||||




GEN006150 The /usr/lib/smb.conf file must not have anextended ACL. Location



GEN006210 The /var/private/smbpasswd file must not have anextended ACL. Location



GEN006270 The /etc/news/hosts.nntp file must not have anextended ACL. Location



GEN006290 The /etc/news/hosts.nntp.nolimit file must nothave an extended ACL. Location



GEN006310 The /etc/news/nnrp.access file must not have anextended ACL. Location




|

||||

|||

||||||

|||||||

||||||

|||||||

||||||

|||||||

||||||

|||||||

||||||

|||||||




GEN006330 The /etc/news/passwd.nntp file must not have anextended ACL. Location



GEN008120 If the system is using LDAP for authentication oraccount information, the /etc/ldap.conf (orequivalent) file must not have an extended accesscontrol list (ACL).

Location/etc/security/pscexpert/dodv2/acldodfiles

Compliance actionEnsures that the specified files do nothave an extended ACL.Note: This setting is not automaticallychanged when the policy is reset to theAIX default policy by using theDoDv2_to_AIXDefault.xml file. You mustmanually change this setting.

GEN008200 If the system is using LDAP for authentication oraccount information, the LDAP TLS certificateauthority file or directory (as appropriate) must nothave an extended ACL.

Location/etc/security/pscexpert/dodv2/acldodfiles

Compliance actionEnsures that the specified directory or filedoes not have an extended ACL.Note: This setting is not automaticallychanged when the policy is reset to theAIX default policy by using theDoDv2_to_AIXDefault.xml file. You mustmanually change this setting.

Related information:

Department of Defense STIG compliance

Payment Card Industry - Data Security Standard complianceThe Payment Card Industry - Data Security Standard (PCI - DSS) categorizes IT security into 12 sectionsthat are called the 12 requirements and security assessment procedures.

The 12 requirements and security assessment procedures of IT security that are defined by PCI - DSSinclude the following items:

Requirement 1: Install and maintain a firewall configuration to protect the data of the cardholder.Section 1.1.5 and Section 2.2.2: Documented list of services and ports necessary for business. Thisrequirement is implemented by disabling unnecessary and insecure services.

Section 1.3.6: Securing and synchronizing router configuration files. This requirement isimplemented by setting the Network option clean_partial_conns value to 1.


|

||||

|||

||||||

|||||||

|||||

|||

||||||||

|||||

|||

|||||||||

http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx

Requirement 2: Do not use vendor-supplied defaults for system passwords and other securityparameters.

Section 2.1: Always change vendor-supplied defaults before you install a system on the network.This requirement is implemented by disabling the Simple Network Management Protocol (SNMP)daemon.

Requirement 3: Protect the stored data of the cardholder.This requirement is implemented by enabling the Encrypted File System (EFS) feature that isprovided with the AIX operating system.

Requirement 4: Encrypt the data of the cardholder when you transmit the data across open publicnetworks.

This requirement is implemented by enabling the IP Security (IPSEC) feature that is providedwith the AIX operating system.

Requirement 5: Use and regularly update anti-virus software programs.This requirement is implemented by using the Trusted Execution policy program. TrustedExecution is the recommended anti-virus software, and it is native to the AIX operating system.PCI requires that you capture the logs from the Trusted Execution program by enabling securityinformation and event management (SIEM) to monitor the alerts. By running the TrustedExecution program in log-only mode, it does not stop the checks when an error is caused by ahash mismatch.

Requirement 6: Develop and maintain secure systems and applications.To implement this requirement, you must install the required patches to your system manually. Ifyou purchased PowerSC Standard Edition, you can use the Trusted Network Connect (TNC)feature.

Requirement 7: Restrict access to the cardholder data, by business need to know.You can implement strong access control measures by using the RBAC feature to enable rules androles. RBAC cannot be automated because it requires the input of an administrator to be enabled.

The RbacEnablement checks the system to determine whether the isso, so, and sa properties forthe roles exist on the system. If these properties do not exist, the script creates them. This script isalso run as part of the AIXPert checks that it completes when it is running commands, such asthe pscxpert -c command.

Requirement 8: Assign a unique ID to each person who has access to the computer.You can implement this requirement by enabling PCI profiles. The following rules apply to PCIprofile:v Section 8.5.9: Change user passwords at least every 90 days.v Section 8.5.10: Require a minimum password length of 7 characters.v Section 8.5.11: Use a password that contains both numerals and alphabetic characters.v Section 8.5.12: Do not allow an individual to submit a new password that is the same as the

previous four passwords that were used.v Section 8.5.13: Limit repeated access attempts by locking out the user ID after six unsuccessful

attempts.v Section 8.5.14: Set the lockout duration to 30 minutes, or until an administrator re-enables the

user ID.v Section 8.5.15: Require a user to reenter a password to reactivate a terminal after it is idle for 15

minutes or longer.

Requirement 9: Restrict physical access to the data of the cardholder.Store repositories that contain sensitive cardholder data in an access-restricted room.

Requirement 10: Track and monitor all access to network resources and to the cardholder data. Section 10.2: This requirement is implemented by logging access to the system components byenabling the automatic logs on the system components.


Requirement 11: Regularly test the security systems and processes.This requirement is implemented by using the Real-Time Compliance feature.

Requirement 12: Maintain a security policy that includes information security for employees andcontractors.

Section 12.3.9: Activation of modems for vendors only when needed by vendors with immediatedeactivation after use. This requirement is implemented by disabling remote root login, activatingon a needed basis by a system administrator, and then deactivating when it is no longer needed.

PowerSC Express Edition reduces the configuration management that is required to meet the guidelinesthat are defined by PCI DSS. However, the entire process cannot be automated.

For example, restricting access to the data of the cardholder based on the business requirement cannot beautomated. The AIX operating system provides strong security technologies, such as Role Based AccessControl (RBAC); however, PowerSC Express Edition cannot automate this configuration because it cannotdetermine the individuals who require access and the individuals who do not. IBM Compliance Expertcan automate the configuration of other security settings that are consistent with the PCI requirements.

When the PCI profile is applied to a database environment, several TCP and UDP ports that are used bythe software stack are disabled by restrictions. You must enable these ports and disable the TrustedExecution function to run the application and workload. Run the following commands to remove therestrictions on the ports and disable the Trusted Execution function:trustchk -p TE=OFFtcptr -delete 9091 65535tcptr -delete 9090 9090tcptr -delete 112 9089tcptr -add 9091 65535 1024 1

Note: All of the custom script files that are provided to maintain PCI - DSS compliance are in the/etc/security/pscexpert/bin directory.

The following table shows how PowerSC Express Edition addresses the requirements of the PCI DSSstandard by using the functions of the AIX Security Expert utility:

Table 6. Settings related to the PCI DSS compliance 2.0 standard

Implements thesePCI DSS standards

Implementationspecification

The AIX Security Expertimplementation

Location of the value and the setting that isrequired for compliance (when applicable)

2.1 Always changevendor-supplied defaultsbefore installing a systemon the network. Forexample, includepasswords, simple networkmanagement protocolcommunity strings, andeliminate unnecessaryaccounts.

Sets the minimum numberof weeks that must passbefore you can change apassword to 0 weeks.

Location/etc/security/pscexpert/bin/chusrattr

Compliant valueminage=0

8.5.9 Change user passwords atleast every 90 days.

Sets the maximum numberof weeks that a password isvalid to 13 weeks.


Compliant valuemaxage=13


||||

|||||

Table 6. Settings related to the PCI DSS compliance 2.0 standard (continued)






Sets the number of weeksthat an account with anexpired password remains inthe system to 8 weeks.


Compliant valuemaxexpired=8

8.5.10 Require a minimumpassword length of at least7 characters.

Sets the minimum passwordlength to 7 characters. Location

/etc/security/pscexpert/bin/chusrattr

Compliant valueminlen=7

8.5.11 Use passwords thatcontain both numeric andalphabetic characters.

Sets the minimum numberof alphabetic characters thatare required in a passwordto 1. This setting ensuresthat the password containsalphabetic characters.


Compliant valueminalpha=1

8.5.11 Use passwords thatcontain both numeric andalphabetic characters.

Sets the minimum numberof non-alphabetic charactersthat are required in apassword to 1. This settingensures that the passwordcontains nonalphabeticcharacters.


Compliant valueminother=1


Sets the maximum numberof times that a character canbe repeated in a passwordto 8. This setting indicatesthat a character in apassword can be repeatedan unlimited number oftimes as long as it conformsto the other passwordlimitations.


Compliant valuemaxrepeats=8

8.5.12 Do not allow an individualto submit a new passwordthat is the same as any ofthe last four passwords heor she has used.

Sets the number of weeksbefore a password can bereused to 52.


Compliant valuehistexpire=52

8.5.12 Do not allow an individualto submit a new passwordthat is the same as any ofthe last four passwords heor she has used.

Sets the number of previouspasswords that you cannotreuse to 4.


Compliant valuehistsize=4

8.5.13 Limit repeated accessattempts by locking outthe user ID after not morethan six attempts.

Sets the number ofconsecutive unsuccessfullogin attempts that disablesan account to 6 attempts foreach non-root account.


Compliant valueloginretries=6







8.5.13 Limit repeated accessattempts by locking outthe user ID after not morethan six attempts.

Sets the number ofconsecutive unsuccessfullogin attempts that disablesa port to 6 attempts.

Location/etc/security/pscexpert/bin/chdefstanza

/etc/security/login.cfg

Compliant valuelogindisable=6

8.5.14 Set the lockout duration toa minimum of 30 minutesor until administratorenables the user ID.

Sets the duration of timethat a port is locked after itis disabled by thelogindisable attribute to 30minutes.

Location/etc/security/pscexpert/bin/chdefstanza

/etc/security/login.cfg

Compliant valueloginreenable=30

12.3.9 Activation of remote-accesstechnologies for vendorsand business partners onlywhen needed by vendorsand business partners,with immediatedeactivation after use.

Disables the remote rootlogin function by setting itsvalue to false. The systemadministrator can activatethe remote login function asneeded, and then deactivateit when the task is complete.

Location/etc/security/pscexpert/bin/chuserstanza

/etc/security/user

Compliant valuerlogin=false root

8.1 Assign all users a uniqueID before allowing them toaccess system componentsor cardholder data.

Enables the function thatensures that all users have aunique user name beforethey can access systemcomponents or card holderdata by setting that functionto a value of true.


/etc/security/user

Compliant valuelogin=true root

10.2 Enable auditing on thesystem.

Enables auditing of thebinary files on the system. Location

/etc/security/pscexpert/bin/pciaudit

Compliant valueh

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the lpd daemon.

Stops the lpd daemon andcomments out thecorresponding entry in the/etc/inittab file thatautomatically starts thedaemon.

Location/etc/security/pscexpert/bin/comntrows

Compliant valuelpd: /etc/inittab : d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the CommonDesktop Environment(CDE).

Disables the CDE functionwhen the layer fourtraceroute (LFT) is notconfigured.

Location/etc/security/pscexpert/bin/comntrows

Compliant value"dt" "/etc/inittab" ":" d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the timeddaemon.

Stops the timed daemon andcomments out thecorresponding entry in the/etc/rc.tcpip file thatautomatically starts thedaemon.

Location/etc/security/pscexpert/bin/rctcpip

Compliant valuetimed d







1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the NTP daemon.

Stops the NTP daemon andcomments out thecorresponding entry in the/etc/rc.tcpip file thatautomatically starts thedaemon.


Compliant valuexntpd d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the rwhoddaemon.

Stops the rwhod daemon andcomments out thecorresponding entry in the/etc/rc.tcpip file thatautomatically starts thedaemon.


Compliant valuerwhod d

2.1 Change thevendor-supplied defaultsbefore installing a systemon the network, whichincludes disabling the SNMPdaemon.

Stops the SNMP daemon andcomments out thecorresponding entry in the/etc/rc.tcpip file thatautomatically starts thedaemon.


Compliant valuesnmpd d

2.1 Change vendor-supplieddefaults before installing asystem on the network,which includes disablingthe SNMPMIBD daemon.

Disables the SNMPMIBDdaemon. Location

/etc/security/pscexpert/bin/rctcpip

Compliant valuesnmpmibd d

2.1 Change vendor-supplieddefaults before installing asystem on the network,which includes disablingthe AIXMIBD daemon.

Disables the AIXMIBDdaemon. Location


Compliant valueaixmibd d

2.1 Change vendor-supplieddefaults before installing asystem on the network,which includes disablingthe HOSTMIBD daemon.

Disables the HOSTMIBDdaemon. Location


Compliant valuehostmibd d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the DPID2daemon.

Stops the DPID2 daemon andcomments out thecorresponding entry in the/etc/rc.tcpip file thatautomatically starts thedaemon.


Compliant valuedpid2 d

2.1 Change vendor-supplieddefaults before installing asystem on the network,which includes stoppingthe DHCP server.

Disables the DHCP server.Location


Compliant valuedhcpsd d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the DHCP agent.

Stops and disables the DHCPrelay agent and commentsout the corresponding entryin the /etc/rc.tcpip filethat automatically starts theagent.


Compliant valuedhcprd d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the rshd daemon.

Stops and disables allinstances of the rshddaemon and thershdpci_shell service, andcomments out thecorresponding entries in the/etc/inetd.conf file thatautomatically start theinstances.

Location/etc/security/pscexpert/bin/cominetdconf

Compliant valueshell tcp d







1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the rloginddaemon.

Stops and disables allinstances of the rloginddaemon andrlogindpci.rlogin service.The AIX Security Expertutility also comments outthe corresponding entries inthe /etc/inetd.conf file thatautomatically start theinstances.


Compliant valuelogin tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the rexecddaemon.

Stops and disables allinstances of the rexecddaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valueexec tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the comsatdaemon.

Stops and disables allinstances of the comsatdaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuecomsat udp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the fingerddaemon.

Stops and disables allinstances of the fingerddaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuefinger tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the systatdaemon.

Stops and disables allinstances of the systatdaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuesystat tcp d

2.1 Change vendor-supplieddefaults before installing asystem on the network,which includes disablingthe netstat command.

Disables the netstatcommand. Location

/etc/security/pscexpert/bin/cominetdconf

Compliant valuenetstat tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the tftp daemon.

Stops and disables allinstances of the tftpdaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuetftp udp d







1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the talkddaemon.

Stops and disables allinstances of the talkddaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuetalk udp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the rquotaddaemon.

Stops and disables allinstances of the rquotaddaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuerquotad udp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the rstatddaemon.

Stops and disables allinstances of the rstatddaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuerstatd udp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the rusersddaemon.

Stops and disables allinstances of the rusersddaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuerusersd udp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the rwallddaemon.

Stops and disables allinstances of the rwallddaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuerwalld udp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the sprayddaemon.

Stops and disables allinstances of the sprayddaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuesprayd udp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the pcnfsddaemon.

Stops and disables allinstances of the pcnfsddaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuepcnfsd udp d







1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the TCP echoservice.

Stops and disables allinstances of the echo(tcp)service. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts theservice.


Compliant valueecho tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the TCP discardservice.

Stops and disables allinstances of thediscard(tcp) service. TheAIX Security Expert utilityalso comments out thecorresponding entry in the/etc/inetd.conf file thatautomatically starts theservice.


Compliant valuediscard tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the TCP chargenservice.

Stops and disables allinstances of thechargen(tcp) service. TheAIX Security Expert utilityalso comments out thecorresponding entry in the/etc/inetd.conf file thatautomatically starts theservice.


Compliant valuechargen tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the TCP daytimeservice.

Stops and disables allinstances of thedaytime(tcp) service. TheAIX Security Expert utilityalso comments out thecorresponding entry in the/etc/inetd.conf file thatautomatically starts theservice.


Compliant valuedaytime tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the TCP timeservice.

Stops and disables allinstances of the timed(tcp)service. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts theservice.


Compliant valuetime tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the UDP echoservice.

Stops and disables allinstances of the echo(udp)service. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts theservice.


Compliant valueecho udp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the UDP discardservice.

Stops and disables allinstances of thediscard(udp) service. TheAIX Security Expert utilityalso comments out thecorresponding entry in the/etc/inetd.conf file thatautomatically starts theservice.


Compliant valuediscard udp d







1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the UDP chargenservice.

Stops and disables allinstances of thechargen(udp) service. TheAIX Security Expert utilityalso comments out thecorresponding entry in the/etc/inetd.conf file thatautomatically starts theservice.


Compliant valuechargen udp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the UDP daytimeservice.

Stops and disables allinstances of thedaytime(udp) service. TheAIX Security Expert utilityalso comments out thecorresponding entry in the/etc/inetd.conf file thatautomatically starts theservice.


Compliant valuedaytime udp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the UDP timeservice.

Stops and disables allinstances of the timed(udp)service. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts theservice.


Compliant valuetime udp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the FTP service.

Stops and disables allinstances of the ftpddaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valueftp tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the telnetservice.

Stops and disables allinstances of the telnetddaemon. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts thedaemon.


Compliant valuetelnet tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes dtspc.

Stops and disables allinstances of the dtspcdaemon. The AIX SecurityExpert also comments outthe corresponding entry inthe /etc/inittab file thatautomatically starts thedaemon when the LFT is notconfigured and the CDE isdisabled in the /etc/inittabfile.


Compliant valuedtspc tcp d

1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the ttdbserverservice.

Stops and disables allinstances of the ttdbserverservice. The AIX SecurityExpert utility also commentsout the corresponding entryin the /etc/inetd.conf filethat automatically starts theservice.


Compliant valuettdbserver tcp d







1.1.5

2.2.2

Disable unnecessary andinsecure services, whichincludes the cmsd service.

Stops and disables allinstances of the cmsd service.The AIX Security Expertutility also comments outthe corresponding entry inthe /etc/inetd.conf file thatautomatically starts theservice.


Compliant valuecmsd udp d

2.2.3 Configure system securityparameters to preventmisuse.

Removes the Set User ID(SUID) commands. Location

/etc/security/pscexpert/bin/rmsuidfrmrcmds

Compliant valuer


Enables the lowest securitylevel for the File PermissionsManager.

Location/etc/security/pscexpert/bin/filepermgr

Compliant valuel


Modifies the Network FileSystem protocol withrestricted settings thatconform to the PCI securityrequirements. Theserestricted settings includedisabling remote root accessand anonymous UID andGID access.

Location/etc/security/pscexpert/bin/nfsconfig

Compliant valuee

2.2.2 Enable only necessary andsecure services, protocols,daemons, and so on, asrequired for the correctfunction of the system.Implement securityfeatures for any requiredservices, protocols ordaemons that areconsidered to be insecure.

Disables the rlogind, rshd,and tftpd daemons, whichare not secure.

Location/etc/security/pscexpert/bin/disrmtdmns

Compliant valued


Disables the rlogind, rshd,and tftpd daemons, whichare not secure.

Location/etc/security/pscexpert/bin/rmrhostsnetrc

Compliant valueh


Disables the logind, rshd,andtftpdpci_rmetchostsequivdaemons, which are notsecure.

Location/etc/security/pscexpert/bin/rmetchostsequiv

Compliant valueNo compliant value is required.


|||||||||






1.3.6 Implement statefulinspection, or packetfiltering, in which onlyestablished connections areallowed on the network.

Enables the networkclean_partial_conns optionby setting its value to 1.

Location/etc/security/pscexpert/bin/ntwkopts

Compliant valueclean_partial_conns=1 s

1.3.6 Implement statefulinspection, or packetfiltering, in which onlyestablished connections areallowed on the network.

Enables TCP security bysetting the networktcp_tcpsecure option to avalue of 7. This settingprovides protection againstdata, reset (RST), and TCPconnection request (SYN)attacks.

Location/etc/security/pscexpert/bin/ntwkopts

Compliant valuetcp_tcpsecure=7 s

Protect unauthorizedaccess to unused ports.

Sets up the system to shunthe hosts for 5 minutes toprevent other systems fromaccessing unused ports.

Location/etc/security/pscexpert/bin/ipsecshunhosthls

Compliant valueNo compliant value is required.Note: You can enter additional filterrules in the /etc/security/aixpert/bin/filter.txt file. These rules areintegrated by theipsecshunhosthls.sh script when youapply the profile. The entries shouldbe in the following format:


where the possible values for actionare Allow or Deny.

Protect the host from portscans.

Sets up the system to shunvulnerable ports for 5minutes, which preventsport scans.

Location/etc/security/pscexpert/bin/ipsecshunports

Compliant valueNo compliant value is required.Note: You can enter additional filterrules in the /etc/security/aixpert/bin/filter.txt file. These rules areintegrated by theipsecshunhosthls.sh script when youapply the profile. The entries shouldbe in the following format:


where the possible values for actionare Allow or Deny.

Limit object creationpermissions.

Sets default object creationpermissions to 22. Location

/etc/security/pscexpert/bin/chusrattr

Compliant valueumask=22


|||||||||

||

|||||||||

||






Limit system access. Makes the root ID the onlyone that is listed in thecron.allow file and removesthe cron.deny file from thesystem.

Location/etc/security/pscexpert/bin/limitsysacc

Compliant valueh

Remove dot from the pathroot.

Removes the dots from thePATH environment variablein the following files thatare located in the root homedirectory:

v .cshrc

v .kshrc

v .login

v .profile

Location/etc/security/pscexpert/bin/rmdotfrmpathroot


Remove dot from thenon-root path:

Removes the dots fromPATH environment variablein the following files thatare in the user homedirectory:

v .cshrc

v .kshrc

v .login

v .profile

Location/etc/security/pscexpert/bin/rmdotfrmpathnroot


Limit system access. Adds the root usercapability and user name inthe /etc/ftpusers file.

Location/etc/security/pscexpert/bin/chetcftpusers

Compliant valuea

Remove the guest account. Removes the guest accountand its files. Location

/etc/security/pscexpert/bin/execmds

Compliant value"rmuser guest; rm -rf /home/guest;ODMDIR=/etc/objrepos odmdelete-qloc0=/home/guest -o inventory"

Prevent launchingprograms in content space.

Enables the stack executiondisable (SED) feature. Location

/etc/security/pscexpert/bin/sedconfig


Ensure that the passwordfor root is not weak.

Starts a root passwordintegrity check against theroot password, therebyensuring a strong rootpassword.


Compliant value/etc/security/userdictionlist=/etc/security/aixpert/dictionary/Englishrootpci_rootpwdintchk







8.5.15 Limit access to the systemby setting the session idletime.

Sets the idle time limit to 15minutes. If the session isidle for longer than 15minutes, you must reenterthe password.

Location/etc/security/pscexpert/bin/autologoff

Compliant value900

Limit traffic access tocardholder information.

Sets the TCP trafficregulation to its high setting,which enforcesdenial-of-service mitigationon ports.

Location/etc/security/pscexpert/bin/tcptr_aixpert

Compliant valuepci

Maintain a secureconnection when migratingdata.

Enables automated IPSecurity (IPSec) tunnelcreation between Virtual I/OServers during live partitionmigration.

Location/etc/security/pscexpert/bin/cfgsecmig

Compliant valueon

1.3.5 Limit packets fromunknown sources.

Allows the packets from theHardware ManagementConsole.

Location/etc/security/pscexpert/bin/ipsecpermithostorport


5.1.1 Maintain antivirussoftware.

Maintains the systemintegrity by detecting,removing, and protectingagainst known types ofmalicious software.

Location/etc/security/pscexpert/bin/manageITsecurity


Maintain access on an asneeded basis.

Enable role-based accesscontrol (RBAC) by creatingsystem operator, systemadministrator, andinformation system securityofficer user roles with therequired permissions.

Location/etc/security/pscexpert/bin/EnableRbac


Related information:

Payment card industry DSS compliance

Sarbanes-Oxley Act and COBIT complianceThe Sarbanes-Oxley (SOX) Act of 2002 that is based on the 107th congress of the United States of Americaoversees the audit of public companies that are subject to the securities laws, and related matters, inorder to protect the interests of investors.

SOX Section 404 mandates the management assessment over internal controls. For most organizations,internal controls span their information technology systems, which process and report the financial dataof the company. The SOX Act provides specific details on IT and IT security. Many SOX auditors rely onstandards, such as COBIT as a method to gauge and audit proper IT governance and control. ThePowerSC Express Edition SOX/COBIT XML configuration option provides the security configuration ofAIX and Virtual I/O Server (VIOS systems that is required to meet the COBIT compliance guidelines.

The IBM Compliance Expert Express Edition runs on AIX 7.1, AIX 6.1, and AIX 5.3.


https://www.pcisecuritystandards.org/security_standards

Compliance with external standards is a responsibility of an AIX system administrator’s workload. TheIBM Compliance Expert Express Edition is designed to simplify managing the operating system settingsand the reports that are required for standards compliance.

The preconfigured compliance profiles delivered with the IBM Compliance Expert Express Edition reducethe administrative workload of interpreting compliance documentation and implementing thosestandards as specific system configuration parameters.

The capabilities of the IBM Compliance Expert Express Edition are designed to help clients to effectivelymanage the system requirements, which are associated with external standard compliance that canpotentially reduce costs while improving compliance. All external security standards include aspectsother than the system configuration settings. The use of IBM Compliance Expert Express Edition cannotensure standards compliance. The Compliance Expert is designed to simplify the management of systemsconfiguration setting that helps administrators to focus on other aspects of standards compliance.Related information:

COBIT compliance

Sarbanes-Oxley (SOX) compliance

Health Insurance Portability and Accountability Act (HIPAA)The Health Insurance Portability and Accountability Act (HIPAA) is a security profile that focuses on theprotection of Electronically Protected Health Information (EPHI).

The HIPAA Security Rule specifically focuses on the protection of EPHI, and only a subset of agencies aresubject to the HIPAA Security Rule based on their functions and use of EPHI.

All HIPAA covered entities, similar to some of the federal agencies, must comply with the HIPAASecurity Rule.

The HIPAA Security Rule focuses on protecting the confidentiality, integrity, and availability of EPHI, asdefined in the Security Rule.

The EPHI that a covered entity creates, receives, maintains, or transmits must be protected againstreasonably anticipated threats, hazards, and impermissible uses and disclosures.

The requirements, standards, and implementation specifications of the HIPAA Security Rule apply to thefollowing covered entities:v Healthcare providersv Health plansv Healthcare clearinghousesv Medicare prescriptions and drug card sponsors

The following table details about the several sections of the HIPAA Security Rule and each sectionincludes several standards and implementation specifications.

Note: All of the custom script files that are provided to maintain HIPAA compliance are in the/etc/security/pscexpert/bin directory.


http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

http://fl1.findlaw.com/news.findlaw.com/cnn/docs/gwbush/sarbanesoxley072302.pdf

Table 7. HIPAA rules and implementation details

Sections of HIPAASecurity Rule

Implementationspecification The aixpert implementation Commands and return values

164.308 (a) (1) (ii) (D)

164.308 (a) (5) (ii) (C)

164.312 (b)

Implements the proceduresto regularly review therecords of the informationsystem activity, such asaudit logs, access reports,and security incidentreports.

Determines whether auditingis enabled in the system.

Command:

#audit query.

Return value: If successful, this commandexits with a value of 0. If unsuccessful, thecommand exits with a value of 1.

164.308 (a) (1) (ii) (D)

164.308 (a) (5) (ii) (C)

166.312 (b)

Implements the proceduresto regularly review therecords of the informationsystem activity, such asaudit logs, access reports,and security incidentreports.

Enables auditing in thesystem. Also, configures theevents to be captured.

Command:

# audit start >/dev/null 2>&1.

Return value: If successful, this commandexits with a value of 0. If unsuccessful, thecommand exits with a value of 1.

The following events are audited:

FILE_Mknod, FILE_Open, FS_Mkdir,PROC_Execute, DEV_Create, FILE_Acl,FILE_Chpriv, FILE_Fchpriv, FILE_Mode,INIT_Start, PASSWORD_Change,PASSWORD_Check, PROC_Adjtime,PROC_Kill, PROC_Privilege,PROC_Setpgid, USER_SU, USER_Change,USER_Create, USER_Login, USER_Logout,USER_Reboot, USER_Remove,USER_SetEnv, USER_SU,FILE_Acl,FILE_Fchmod,FILE_Fchown

164.312 (a) (2) (iV) Encryption and Decryption(A):Implements amechanism to encrypt anddecrypt the EPHI.

Determines whether theencrypted file system (EFS) isenabled on the system.

Command:

# efskeymgr -V >/dev/null 2>&1.

Return value: If EFS is already enabled, thiscommand exits with a value of 0. If EFS isnot enabled, this command exits with a valueof 1.

164.312 (a) (2) (iii) Automatic Logoff (A):Implements the electronicprocedures to end anelectronic session after apredefined interval ofinactivity.

Configures the system to logout from interactiveprocesses after 15 minutes ofinactivity.

Command:

grep TMOUT= /etc/security /.profile >/dev/null 2>&1

echo "TMOUT=900 ; TIMEOUT=900; exportTMOUT TIMEOUT.

Return value: If the command fails to findthe value TMOUT=15, the script exits with avalue of 1. Otherwise, the command exitswith a value of 0.

164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)

Password Management(A):Implements theprocedures for creating,changing, and protectingpasswords.

Ensures that all passwordscontain a minimum of 14characters.

Command:

chsec -f /etc/security/user -s user -aminlen=8.

Return value: If successful, this script exitswith a value of 0. If unsuccessful, the scriptexits with an error code of 1.


Table 7. HIPAA rules and implementation details (continued)



164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Ensures that all passwordsinclude at least twoalphabetic characters, one ofwhich must be capitalized.

Command:

chsec -f /etc/security/user -s user –aminalpha=4.

Return value: If successful, this script exitswith a value of 0. If unsuccessful, thecommand exits with an error code of 1.

164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Specifies the minimumnumber of nonalphabeticcharacters in a password to2.

Command:

#chsec –f /etc/security/user –s user –aminother=2.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Ensure that all passwordscontain no repetitivecharacters.

Command:

#chsec –f /etc/security/user –s user –amaxrepeats=1.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Ensure that a password isnot reused within the lastfive changes.

Command:

#chsec –f /etc/security/user –s user –ahistsize=5.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Specifies the maximumnumber of weeks to 13weeks, for the password toremain valid.

Command:

#chsec –f /etc/security/user –s user –amaxage=8.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Removes any minimumnumber of weekrequirements before apassword can be changed.

Command:

#chsec –f /etc/security/user –s user –aminage=2.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Specifies the maximumnumber of weeks to 4 weeks,to change an expiredpassword, after the value ofthe maxage parameter set bythe user expires.

Command:

#chsec –f /etc/security/user –s user –amaxexpired=4.






164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Specifies the minimumnumber of characters thatcannot be repeated from theold password is 4 characters.

Command:

#chsec –f /etc/security/user –s user –amindiff=4.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Specifies that the number ofdays is 5 to wait before thesystem issues a warning thata password change isrequired.

Command:

#chsec –f /etc/security/user –s user –apwdwarntime = 5.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Verifies the correctness ofuser definitions and fixes theerrors.

Command:

/usr/bin/usrck -y ALL

/usr/bin/usrck –n ALL.

Return value: The command does not returna value. The command checks and fixes theerrors, if any.

164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Locks the account after threeconsecutive failed loginattempts.

Command:

#chsec –f /etc/security/user –s user –aloginretries=3.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Specifies the delay betweenone unsuccessful login to theother as 5 seconds.

Command:

chsec -f /etc/security/login.cfg -s default -alogindelay=5.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Specifies the number ofunsuccessful login attemptson a port, before the port islocked as 10.

Command:

chsec -f /etc/security/lastlog -s username -a \unsuccessful_login_count=10.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Specifies the time interval ina port for the unsuccessfullogin attempts before theport is disabled as 60seconds.

Command:

#chsec -f /etc/security/lastlog -s user –atime_last_unsuccessful_login=60.






164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Specifies the time intervalafter which a port isunlocked and after beingdisabled, as 30 minutes.

Command:

#chsec -f /etc/security/login.cfg -s default -aloginreenable = 30.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Specifies the time interval totype a password as 30seconds.

Command:

chsec -f /etc/security/login.cfg -s usw -alogintimeout=30.


164.308 (a) (5) (ii) (D)

164.312 (a) (2) (i)


Ensure that accounts arelocked after 35 days ofinactivity.

Command:

grep TMOUT= /etc/security /.profile >/dev/null 2>&1if TMOUT =(35x24x60x60){#chsec -f /etc/security/user -suser -aaccount_locked = true}.

Return value: If the command fails to set thevalue of account_locked to true, the scriptexits with a value of 1. Otherwise, thecommand exits with a value of 0.

164.312 (c) (1) Implements the policies andprocedures to protect theEPHI from incorrectalteration or destruction.

Set the trusted execution (TE)policies to ON.

Command:

Turns on CHKEXEC, CHKSHLIB,CHKSCRIPT, CHKKERNEXT,STOP_ON_CHKFAIL,TE=ON For example,trustchk –p TE=ON CHKEXEC = ON,CHKSHLIB,=ON, CHKSCRIPT=ON,CHKKERNEXT = ON.

Return value: On failure, the script exits witha value of 1.

164.312 (e) (1) Implements the technicalsecurity measures toprevent unauthorizedaccess to the EPHI that isbeing transmitted over anelectronic communicationnetwork.

Determines whether the sshfilesets are installed. If not,displays an error message.

Command:

# lslpp –l | grep openssh > /dev/null 2>&1.

Return value: If return code for thiscommand is 0, the script exits with a value of0. If ssh filesets are not installed, the scriptexits with a value of 1 and displays the errormessage Install ssh filesets for securetransmission.

The following table details about the several functions of the HIPAA Security Rule and each functionincludes several standards and implementation specifications.


Table 8. HIPAA Functions and implementation details

HIPAA functions Implementation specification The aixpert implementation Commands and return values

Error logging Consolidates errors fromdifferent logs and sends emailsthe administrator.

Determines whether anyhardware errors exist.

Determines whether there areany unrecoverable errors fromthe trcfile file in the location,/var/adm/ras/trcfile.

Sends the errors toroot@<hostname>.

Command:

errpt -d H.

Return value: If successful, thiscommand exits with a value of0. If unsuccessful, thecommand exits with a value of1.

FPM enablement Changes file permissions. Changes the permission of filesfrom a list of permissions andfiles by using the fpmcommand.

Command:

# fpm -1 <level> -f<commands file>.

Return value: If successful, thiscommand exits with a value of0. If unsuccessful, thecommand exits with a value of1.

RBAC enablement Creates isso, so, and sa usersand assigns appropriate rolesto the users.

Suggests that you create isso,so, and sa users.

Assigns appropriate roles tothe users.

Command:

/etc/security/pscexpert/bin/RbacEnablement.

Managing Security and Compliance AutomationLearn about the process of planning and deploying PowerSC Security and Compliance Automationprofiles on a group of systems in accordance with the accepted IT governance and complianceprocedures.

As part of compliance and IT governance, systems running similar workload and security classes of datamust be managed and configured consistently. To plan and deploy compliance on systems, complete thefollowing tasks:

Identifying the work groups of the system

The compliance and IT governance guidelines state that the systems running on similar workload andsecurity classes of data must be managed and configured consistently. Therefore, you must identify allsystems in a similar workgroup.

Using a nonproduction test system for the initial setup

Apply the appropriate PowerSC compliance profile to the test system.

Consider the following examples for applying compliance profiles to the AIX operating system.

Example 1: Applying DoD.xml% aixpert -f /etc/security/aixpert/custom/DoD.xmlProcessedrules=38 Passedrules=38 Failedrules=0 Level=AllRules

Input file=/etc/security/aixpert/custom/DoD.xml

In this example, there are no failed rules, that is, Failedrules=0. This means that all rules are successfullyapplied, and the test phase can be started. If there are failures, detailed output is generated.


Example 2: Applying PCI.xml with a failure# aixpert -f /etc/security/aixpert/custom/PCI.xmldo_action(): rule(pci_grpck) : failed.Processedrules=85 Passedrules=84 Failedrules=1 Level=AllRules

Input file=/etc/security/aixpert/custom/PCI.xml

The failure of the pci_grpck rule must be resolved. The possible causes for failure include the followingreasons:v The rule does not apply to the environment and must be removed.v There is an issue on the system that must be fixed.

Investigating a failed ruleIn most cases, there is no failure when applying a PowerSC security and compliance profile. However,the system can have prerequisites related to installation that are missing or other issues that requireattention from the administrator.

The cause of the failure can be investigated by using the following example:

View the /etc/security/aixpert/custom/PCI.xml file and locate the failing rule. In this example the ruleis pci_grpck. Run the fgrep command, search the pci_grpck failing rule, and see the associated XML rule.fgrep -p pci_grpck /etc/security/aixpert/custom/PCI.xml<AIXPertEntry name="pci_grpck" function="grpck"<AIXPertRuleType type="DLS"/<AIXPertDescription>Implements portions of PCI Section 8.2,Check group definitions: Verifies the correctness of group definitions and fixes the errors</AIXPertDescription<AIXPertPrereqList>bos.rte.security,bos.rte.date,bos.rte.ILS</AIXPertPrereqList<AIXPertCommand/etc/security/aixpert/bin/execmds</AIXPertCommand<AIXPertArgs"/usr/sbin/grpck -y ALL; /usr/sbin/grpck -n ALL"</AIXPertArgs<AIXPertGroupUser Group System and Password Definitions</AIXPertGroup</AIXPertEntry

From the pci_grpck rule, the /usr/sbin/grpck command can be seen.

Updating the failed ruleWhen applying a PowerSC security and compliance profile, you can detect errors.

The system can have missing installation prerequisites or other issues that require attention from theadministrator. After determining the underlying command of the failed rule, examine the system tounderstand the configuration command that is failing. The system might have a security issue. It mightalso be the case that a particular rule is not applicable to the environment of the system. Then, a customsecurity profile must be created.

Creating custom security configuration profileIf a rule is not applicable to the specific environment of the system, most compliance organizationspermit documented exceptions.

To remove a rule and to create a custom security policy and configuration file, complete the followingsteps:1. Copy the contents of the following files into a single file named /etc/security/aixpert/custom/

<my_security_policy>.xml:/etc/security/aixpert/custom/[PCI.xml|DoD.xml|SOX-COBIT.xml]


2. Edit the <my_security_policy>.xml file by removing the rule that is not applicable from the openingXML tag <AIXPertEntry name... to the ending XML tag </AIXPertEntry.

You can insert additional configuration rules for security. Insert the additional rules to the XMLAIXPertSecurityHardening schema. You cannot change the PowerSC profiles directly, but you cancustomize the profiles.

For most environments, you must create a custom XML policy. To distribute a customer profile to othersystems, you must securely copy the customized XML policy to the system that requires the sameconfiguration. A secure protocol, such as secure file transfer protocol (SFTP), is used to distribute acustom XML policy to other systems, and the profile is stored in a secure location /etc/security/aixpert/custom/<my_security_policy.xml>/etc/security/aixpert/custom/

Log on to the system where a custom profile must be created, and run the following command:pscxpert –f : /etc/security/aixpert/custom/<my_security_policy>.xml

Testing the applications with AIX Profile ManagerThe security configurations can affect applications and the way the system is accessed and managed. It isimportant to test the applications and the expected management methods of the system before deployingthe system into a production environment.

The regulatory compliance standards impose a security configuration that is more stringent than anout-of-the-box configuration. To test the system, complete the following steps:1. Select View and Manage profiles from the right pane of the AIX Profile Manager welcome page.2. Select the profile that is used by the template for deploying to the systems to be monitored.3. Click Compare.4. Select the managed group, or select individual systems within the group and click Add, to add them

to the selected box.5. Click OK.

The compare operation starts.

Monitoring systems for continued compliance with AIX ProfileManagerThe security configurations can affect applications and the way the system is accessed and managed. It isimportant to monitor the applications and the expected management methods of the system whendeploying the system into a production environment.

To use AIX Profile Manager to monitor an AIX system, complete the following steps:1. Select View and Manage profiles from the right pane of the AIX Profile Manager welcome page.2. Select the profile that is used by the template for deploying to the systems to be monitored.3. Click Compare.4. Select the managed group, or select individual systems within the group and add them to the selected

box.5. Click OK.

The compare operation starts.

Configuring PowerSC Security and Compliance AutomationLearn the procedure to configure PowerSC for Security and Compliance Automation from thecommand-line and by using AIX Profile Manager.


Configuring PowerSC compliance options settingsLearn the basics of PowerSC security and compliance automation feature, test the configuration onnonproduction test systems, and plan and deploy the settings. When you apply a complianceconfiguration, the settings change numerous configuration settings on the operating system.

Note: Some compliance standards and profiles disable Telnet, because Telnet uses clear text passwords.Therefore, you must have Open SSH installed, configured, and working. You can use any other securemeans of communication with the system being configured. These compliance standards require the rootlogin to be disabled. Configure one or more non-root users before you continue applying theconfiguration changes. This configuration does not disable root, and you can log in as a non-root userand run the su command to root. Test if you can establish the SSH connection to the system, log in as thenon-root user, and run command to root.

To access the DoD, PCI, SOX, or COBIT configuration profiles, use the following directory:v The profiles in the AIX operating system are placed in the /etc/security/aixpert/custom directory.v The profiles in Virtual I/O Server (VIOS) are placed in the /etc/security/aixpert/core directory.

Configuring PowerSC compliance from the command line

Implement or check the compliance profile by using the pscxpert command on the AIX system, and theviosecure command on the Virtual I/O Server (VIOS).

To apply the PowerSC compliance profiles on an AIX system, enter one of the following commands,which depends on the level of security compliance you want to apply.

Table 9. PowerSC commands for AIX

Command Compliance standard

% pscxpert -f /etc/security/aixpert/custom/DoD.xml US Department of Defense UNIX security technical implementationguide

% pscxpert -f /etc/security/aixpert/custom/Hipaa.xml Heath Insurance Portability and Accountability Act

% pscxpert -f /etc/security/aixpert/custom/PCI.xml Payment card industry-Data security standard

% pscxpert -f /etc/security/aixpert/custom/SOX-COBIT.xml Sarbanes-Oxley Act of 2002 – COBIT IT Governance

To apply the PowerSC compliance profiles on a VIOS system, enter one of the following commands forthe level of security compliance you want to apply.

Table 10. PowerSC commands for the Virtual I/O Server

Command Compliance Standard

% viosecure -file /etc/security/aixpert/custom/DoD.xml US Department of Defense UNIX security technical implementationguide

% viosecure -file /etc/security/aixpert/custom/Hipaa.xml Heath Insurance Portability and Accountability Act

% viosecure -file /etc/security/aixpert/custom/PCI.xml Payment card industry-Data security standard

% viosecure -file /etc/security/aixpert/custom/SOX-COBIT.xml Sarbanes-Oxley Act of 2002 – COBIT IT Governance

The pscxpert command on the AIX system and the viosecure command in VIOS can take time to runbecause they are checking or setting the entire system, and making security-related configurationchanges. The output is similar to the following example:Processedrules=38 Passedrules=38 Failedrules=0 Level=AllRules

However, some rules fail depending on the AIX environment, installation set, and the previousconfiguration.


||

|

|

|

|

|||

|

||

For example, a prerequisite rule can fail because the system does not have the required installation fileset.It is necessary to understand each failure and resolve it before deploying the compliance profilesthroughout the data center.Related concepts:“Managing Security and Compliance Automation” on page 99Learn about the process of planning and deploying PowerSC Security and Compliance Automationprofiles on a group of systems in accordance with the accepted IT governance and complianceprocedures.

Configuring PowerSC compliance with AIX Profile ManagerLearn the procedure to configure PowerSC security and compliance profiles and to deploy theconfiguration onto an AIX managed system by using the AIX Profile Manager.

To configure PowerSC security and compliance profiles by using AIX Profile Manager, complete thefollowing steps:1. Log in to IBM Systems Director and select AIX Profile Manager.2. Create a template that is based on one of the PowerSC security and compliance profiles by completing

the following steps:a. Click View and manage templates from the right pane of the AIX Profile Manager welcome page.b. Click Create.c. Click Operating System from the Template type list.d. Provide a name for the template in the Configuration template name field.e. Click Continue > Save.

3. Select the profile to use with the template by selecting Browse under the Select which profile to usefor this template option. The profiles display the following items:v ice_DLS.xml is the default security level of the AIX operating system.v ice_DoD.xml is the Department of Defense Security and Implementation Guide for UNIX settings.v ice_HLS.xml is a generic high-level security for AIX settings.v ice_LLS.xml is the low-level security for AIX settings.v ice_MLS.xml is the medium level security for AIX settings.v ice_PCI.xml is the Payment Card Industry setting for the AIX operating system.v ice_SOX.xml is the SOX or COBIT settings for the AIX operating system.

4. Remove any profile from the selected box.5. Select Add to move the required profile into the selected box.6. Click Save.

To deploy the configuration onto an AIX managed system, complete the following steps:1. Select View and Manage Templates from the right pane of the AIX Profile Manager welcome page.2. Select the required template to deploy.3. Click Deploy.4. Select the systems to deploy the profile, and click Add to move the required profile into the selected

box.5. Click OK to deploy the configuration template. The system is configured according to the selected

template of the profile.

For the deployment to be successful for DoD, PCI, or SOX, PowerSC Express Edition or PowerSCStandard Edition must be installed at the end point of the AIX system. If the system that is being


deployed does not have PowerSC installed, the deployment fails. The IBM Systems Director deploys theconfiguration template to the selected AIX system end points and configures them according to thecompliance requirements.Related information:AIX Profile ManagerIBM Systems Director


PowerSC Real Time Compliance

The PowerSC Real Time Compliance feature continuously monitors enabled AIX systems to ensure thatthey are configured consistently and securely.

The PowerSC Real Time Compliance feature works with the PowerSC Compliance Automation and AIXSecurity Expert policies to provide notification when compliance violations occur or when a monitoredfile is changed. When the security configuration policy of a system is violated, the PowerSC Real TimeCompliance feature sends an email or a text message to alert the system administrator.

The PowerSC Real Time Compliance feature is a passive security feature that supports predefined orchanged compliance profiles that include the Department of Defense Security Technical ImplementationGuide, the Payment Card Industry Data Security Standard, the Sarbanes-Oxley Act, and COBITcompliance. It provides a default list of files to monitor for changes, but you can add files to the list.

Installing PowerSC Real Time ComplianceThe PowerSC Real Time Compliance feature is installed with the PowerSC Express Edition, and it is notpart of the base AIX operating system.

To install the PowerSC Express Edition, which includes the PowerSC Real Time Compliance, complete thefollowing steps:1. Ensure that you are running one of the following AIX operating systems on the system where you are

installing the PowerSC Real Time Compliance feature:v IBM AIX 6 with Technology Level 7, or later, with AIX Event Infrastructure for AIX and AIX

Clusters (bos.ahafs 6.1.7.0), or laterv IBM AIX 7 with Technology Level 1, or later, with AIX Event Infrastructure for AIX and AIX

Clusters (bos.ahafs 7.1.1.0), or later2. If you have already installed PowerSC Express Edition version 1.1.2.0, or later, you can add the

required files for the PowerSC Real Time Compliance feature by reinstalling the PowerSC ExpressEdition or by updating the installed version of the PowerSC Real Time Compliance feature to thelatest version.

3. To update the PowerSC Real Time Compliance feature fileset, install the powerscExp.rtc fileset fromthe installation package for PowerSC Express Edition version 1.1.2.0, or later.

4. For a new installation of PowerSC Express Edition version 1.1.2.0, or earlier, follow the instructions inInstalling PowerSC Express Edition Version 1.1.2, or earlier.

Configuring PowerSC Real Time ComplianceYou can configure PowerSC Real Time Compliance to send alerts when violations of a compliance profileor changes to a monitored file occur. Some examples of the profiles include, the Department of DefenseSecurity Technical Implementation Guide, the Payment Card Industry Data Security Standard, theSarbanes-Oxley Act, and COBIT.

You can configure PowerSC Real Time Compliance by using one of the following methods:v Enter the mkrtc command.v Run the SMIT tool by entering the following command:

smit RTC


Identifying files monitored by the PowerSC Real Time CompliancefeatureThe PowerSC Real Time Compliance feature monitors a default list of files from the high-level securitysettings for changes, which can be customized by adding or removing files from the list of files in the/etc/security/rtc/rtcd_policy.conf file.

There are two methods of identifying the compliance template that is applied on a system. One method isto use the pscxpert command, and the other is to use the AIX Profile Manager with IBM SystemsDirector.

When the compliance profile is identified, you can add additional files to the list of files to monitor byincluding the additional files in the /etc/security/rtc/rtcd_policy.conf file. After the file is saved, thenew list is immediately used as a baseline and monitored for changes without restarting the system.

Setting alerts for PowerSC Real Time ComplianceYou must configure the notification of the PowerSC Real Time Compliance feature by indicating the typeof alerts and the recipients of the alerts.

The rtcd daemon, which is the main component of the PowerSC Real Time Compliance feature, obtainsits information about the types of alerts and recipients from the /etc/security/rtc/rtcd.confconfiguration file. You can edit this file to update the information by using a text editor.

For more information about the options and how to modify this file, see the information about thertcd.conf file.Related information:/etc/security/rtc/rtcd.conf file format for real-time compliance


PowerSC Express Edition commands

The commands that are available with PowerSC Express Edition provide the method of changing thecompliance settings by using the command line.

pscxpert CommandPurpose

Aids the system administrator in setting the security configuration.

Syntax

pscxpert

pscxpert -l h|high | m|medium | l|low | d|default [ -p ] [-n -o filename] [ -a -o filename ]

pscxpert -c [ -P filename] [-r] [-R] [-l h|high | m|medium | l|low | d|default ] [ -p ]

pscxpert -u [ -p ]

pscxpert -d

pscxpert [-f profile_name ]

pscxpert [-f profile_name ] [ -a -o filename ] [ -p ]

pscxpert -t

Description

The pscxpert command sets a variety of system configuration settings to enable the desired security level.

Running the pscxpert command with only the -l flag set implements the security settings promptlywithout allowing the user to configure the settings. For example, running the pscxpert -l high commandapplies all of the high-level security settings to the system automatically. However, running the pscxpert-l command with the -n and -o filename options saves the security settings to a file specified by thefilename parameter. The -f flag then applies the new configurations.

After the initial selection, a menu is displayed itemizing all security configuration options associated withthe selected security level. These options can be accepted in whole or individually toggled off or on. Afterany secondary changes, the pscxpert command continues to apply the security settings to the computersystem.

Run the pscxpert command as the root user of the target Virtual I/O Server. When you are not logged inas the root user of the target Virtual I/O Server, run the oem_setup_env command before you run thepscxpert command.

Note: Rerun the pscxpert command after any major systems changes, such as the installation or updatesof software. If a particular security configuration item is not selected when the pscxpert command isrerun, that configuration item is skipped.

Flags


|||

Item Description-a The settings with the associated security level options are written to the file specified by the

-o flag, in abbreviated format. You must specify the -o option when you specify the -aoption.

-c Checks the security settings against the previously applied set of rules. If the check againsta rule fails, the previous versions of the rule are also checked. This process continues untilthe check passes, or until all of the instances of the failed rule in the /etc/security/aixpert/core/appliedaixpert.xml file are checked.

-d Displays the document type definition (DTD).-f Applies the security settings that are provided in the specified profile_name file. The profiles

are located in the /etc/security/aixpert/custom directory. The available profiles includethe following standard profiles:

DataBase.xmlThis file contains the requirements for the default database settings.

DoD.xmlThis file contains the requirements for the Department of Defense SecurityTechnical Implementation Guide (STIG) settings.

DoD_to_AIXDefault.xmlThis changes the settings to the default AIX settings.

DoDv2.xmlThis file contains the requirements for version 2 of the Department of DefenseSecurity Technical Implementation Guide (STIG) settings.

DoDv2_to_AIXDefault.xmlThis changes the settings to the default AIX settings.

Hipaa.xml This file contains the requirements for the Health Insurance Portability andAccountability Act (HIPAA) settings.

PCI.xml This file contains the requirements for the Payment card industry Data SecurityStandard settings.

PCIv3.xmlThis file contains the requirements for the Payment card industry Data SecurityStandard Version 3 settings.

PCI_to_AIXDefault.xmlThis file changes the settings to the default AIX settings

PCIv3_to_AIXDefault.xmlThis file changes the settings to the default AIX settings

SOX-COBIT.xmlThis file contains the requirements for the Sarbanes-Oxley Act and COBITsettings.

You can also create custom profiles in the same directory and apply them to your settingsby renaming and modifying the existing XML files.

For example, the following command applies the HIPAA profile to your system:

pscxpert -f /etc/security/aixpert/custom/Hipaa.xml

When you specify the -f option, security settings are consistently applied from system tosystem by securely transferring and applying an appliedaixpert.xml file from system tosystem.

All of the successfully applied rules are written to the /etc/security/aixpert/core/appliedaixpert.xml file and the corresponding undo action rules are written to the/etc/security/aixpert/core/undo.xml file.


|||

|

|||

||

|

Item Description-l Sets the system security settings to the specified level. This flag has the following options:

h|high Specifies high-level security options.

m|mediumSpecifies medium-level security options.

l|low Specifies low-level security options.

d|defaultSpecifies AIX standards-level security options.

If you specify both the -l and -n flags, the security settings are not implemented on thesystem; however, they are only written to the file that you specified in the -o flag.

All the successfully applied rules are written to the /etc/security/aixpert/core/appliedaixpert.xml file and the corresponding undo action rules are written to the/etc/security/aixpert/core/undo.xml file.

Attention: When you use the d|default option, the option can overwrite the configuredsecurity settings that you had previously set by using the pscxpert command orindependently, and restores the system to its traditional open configuration.

-n Writes the settings with the associated security level options to the file specified by the -oflag. You must specify the -o option when you use the -n option.

-o Stores security output to the file that is specified by the filename variable. The read andwrite permissions of the output file are set to root as a security precaution. This file mustbe protected against unwanted access.

-p Specifies that the output of the security rules is displayed by using verbose output. The -poption logs the rules processed into the audit subsystem if the auditing option is turned on.This option can be used with any of the -l, -u, -c, and -f options.

-P Accepts the profile name as input. This option is used along with the -c option. The -coption along with the -P option is used to check the compatibility of the system with theprofile passed.

-r Writes the existing settings of the system to the /etc/security/aixpert/check_report.txtfile. You can use the output in security or compliance audit reports. The report describeseach setting, how it might relate to a regulatory compliance requirement, and whether thecheck passed or failed.

-R Produces the same output as the -r flag, but this flag also appends a description about eachscript or program used to implement the configuration setting.

-t Displays the type of the profile applied on the system.-u Undoes the security settings that are applied.

Note: You cannot use the -u flag to reverse the application of the Department of DefenseVersion 2 profile or the Payment Card Industry Version 3 profile. To remove these profilesafter they are added, apply the profile that is included with the DoDv2_to_AIXDefault.xmlfile or the PCIv3_to_AIXDefault.xml file, respectively.

Parameters

Item Descriptionfilename The output file that stores the security settings. Root permission is required to access this file.profile_name The file name of the profile that provides compliance rules for the system. Root permission is

required to access this file.

Security

The pscxpert command can be run only by root.

Examples1. To write all of the high-level security options to an output file, enter the following command:

pscxpert -l high -n -o /etc/security/pscexpert/plugin/myPreferredSettings.xml

PowerSC Express Edition commands 109

||||

After completing this command, the output file can be edited, and specific security roles can becommented out by enclosing them in the standard XML comment string (<-- begins the comment and-\> closes the comment).

2. To apply the security settings from the Department of Defense STIG configuration file, enter thefollowing command:pscxpert -f /etc/security/aixpert/custom/DoD.xml

3. To apply the security settings from the HIPAA configuration file, enter the following command:pscxpert -f /etc/security/aixpert/custom/Hipaa.xml

4. To check the security settings of the system, and to log the rules that failed into the audit subsystem,enter the following command:pscxpert –c -p

5. To generate reports and write them to the /etc/security/aixpert/check_report.txt file, enter thefollowing command:pscxpert -c -r

Location

Item Description/usr/sbin/pscxpert Contains the pscxpert command.

Files

Item Description/etc/security/aixpert/log/aixpert.log Contains a trace log of applied security settings. This does not use the syslog

standard. The pscxpert command writes directly to the file, has read-writepermissions, and requires root security.

/etc/security/aixpert/log/firstboot.log Contains a trace log of the security settings that were applied during the first bootof a Secure by Default (SbD) installation.

/etc/security/aixpert/core/undo.xml Contains an XML listing of security settings, which can be undone.


Notices

This information was developed for products and services that are offered in the USA.

IBM may not offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available inyour area. Any reference to an IBM product, program, or service is not intended to state or imply thatonly that IBM product, program, or service may be used. Any functionally equivalent product, program,or service that does not infringe any IBM intellectual property right may be used instead. However, it isthe user's responsibility to evaluate and verify the operation of any non-IBM product, program, orservice.

IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You can sendlicense inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785United States of America

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM IntellectualProperty Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS ORIMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Somestates do not allow disclaimer of express or implied warranties in certain transactions, therefore, thisstatement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided for convenience only and do not inany manner serve as an endorsement of those websites. The materials at those websites are not part ofthe materials for this IBM product and use of those websites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate withoutincurring any obligation to you.


Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM CorporationDept. LRAS/Bldg. 90311501 Burnet RoadAustin, TX 78758-3400USA

Such information may be available, subject to appropriate terms and conditions, including in some cases,payment of a fee.

The licensed program described in this document and all licensed material available for it are providedby IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement orany equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, theresults obtained in other operating environments may vary significantly. Some measurements may havebeen made on development-level systems and there is no guarantee that these measurements will be thesame on generally available systems. Furthermore, some measurements may have been estimated throughextrapolation. Actual results may vary. Users of this document should verify the applicable data for theirspecific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. IBM has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-IBMproducts. Questions on the capabilities of non-IBM products should be addressed to the suppliers ofthose products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal withoutnotice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change withoutnotice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject to change before theproducts described become available.

This information contains examples of data and reports used in daily business operations. To illustratethem as completely as possible, the examples include the names of individuals, companies, brands, andproducts. All of these names are fictitious and any similarity to the names and addresses used by anactual business enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrate programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programsin any form without payment to IBM, for the purposes of developing, using, marketing or distributingapplication programs conforming to the application programming interface for the operating platform forwhich the sample programs are written. These examples have not been thoroughly tested under allconditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not beliable for any damages arising out of your use of the sample programs.


Each copy or any portion of these sample programs or any derivative work, must include a copyrightnotice as follows:

Portions of this code are derived from IBM Corp. Sample Programs.

© Copyright IBM Corp. _enter the year or years_. All rights reserved.

Privacy policy considerationsIBM Software products, including software as a service solutions, (“Software Offerings”) may use cookiesor other technologies to collect product usage information, to help improve the end user experience, totailor interactions with the end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offerings can help enable you tocollect personally identifiable information. If this Software Offering uses cookies to collect personallyidentifiable information, specific information about this offering’s use of cookies is set forth below.

This Software Offering does not use cookies or other technologies to collect personally identifiableinformation.

If the configurations deployed for this Software Offering provide you as the customer the ability to collectpersonally identifiable information from end users via cookies and other technologies, you should seekyour own legal advice about any laws applicable to such data collection, including any requirements fornotice and consent.

For more information about the use of various technologies, including cookies, for these purposes, seeIBM’s Privacy Policy at http://www.ibm.com/privacy and IBM’s Online Privacy Statement athttp://www.ibm.com/privacy/details the section entitled “Cookies, Web Beacons and OtherTechnologies” and the “IBM Software Products and Software-as-a-Service Privacy Statement” athttp://www.ibm.com/software/info/product-privacy.

TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the web atCopyright and trademark information at www.ibm.com/legal/copytrade.shtml.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Notices 113

http://www.ibm.com/privacy

http://www.ibm.com/privacy/details

http://www.ibm.com/software/info/product-privacy

http://www.ibm.com/legal/us/en/copytrade.shtml


Index

CConfiguring PowerSC Security and Compliance

Automation 102

DDepartment of Defence STIG compliance 10

Ffeature

PowerSC Real Time Compliance 105

Hhardware and software requirements 5

IInvestigating a failed rule 100

MManaging Security and Compliance Automation 99, 100, 101Monitoring systems for continued compliance 101

Ooverview 5

PPayment Card Industry - DSS compliance 80PowerSC 10, 80, 93, 99, 102

Real-Time Compliance 105PowerSC Express Edition 5pscxpert command 107

RReal-Time Compliance 105

Ssecurity

PowerSCReal-Time Compliance 105

SOX and COBIT 93

TTesting the applications 101

UUpdating the failed rule 100



IBM®

Printed in USA

Date post:	23-Jan-2021
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

IBM PowerSC Express Edition Version 1.1.3: PowerSC Express...

Documents